DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7HGR-XVRR-XPW3: GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasura-auth

#security #cve #cybersecurity #ghsa

GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasura-auth

Vulnerability ID: GHSA-7HGR-XVRR-XPW3
CVSS Score: 7.5
Published: 2026-05-08

A critical session management vulnerability in Nhost's authentication service allows attackers to maintain unauthorized access following a password reset. The password update operation fails to invalidate existing refresh tokens in the database, violating standard session revocation principles and rendering password changes ineffective as an incident response measure.

TL;DR

Nhost's hasura-auth component fails to clear active refresh tokens upon a password change. Attackers holding stolen tokens can continue generating valid access tokens indefinitely.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-613: Insufficient Session Expiration
  • Attack Vector: Network (Requires stolen refresh token)
  • Estimated CVSS: 7.5 (High)
  • Impact: Persistent unauthorized access post-credential rotation
  • Exploit Status: Conceptually straightforward, requires prerequisite compromise
  • Patch Status: Fixed in PR #4192

Affected Systems

  • Nhost hasura-auth backend service
  • Nhost nhost-js client SDK
  • hasura-auth: < PR #4192 (Fixed in: PR #4192)
  • nhost-js: < PR #4192 (Fixed in: PR #4192)

Code Analysis

Commit: 52c7066

Atomic deletion of refresh tokens via CTE upon password update

Mitigation Strategies

  • Upgrade the Nhost backend services to a release subsequent to PR #4192.
  • Upgrade the nhost-js SDK to incorporate the updateSessionFromResponseMiddleware.
  • Implement continuous monitoring on the auth.refresh_tokens table for anomalous long-lived entries.
  • Educate users to manually terminate active sessions if native global logout is unsupported in their current deployment.

Remediation Steps:

  1. Review the current deployment version of hasura-auth and nhost-js.
  2. Update the backend Go service with the CTE SQL modifications to ensure atomic token deletion.
  3. Update all frontend clients leveraging the nhost-js SDK to force local storage clearing on password changes.
  4. Run a manual cleanup script targeting the auth.refresh_tokens table for any accounts modified prior to the patch application.

References

Read the full report for GHSA-7HGR-XVRR-XPW3 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)