Nhost account takeover via OAuth (CVE-2026-41574)

Patch now - CVE-2026-41574 is a critical account takeover in Nhost versions prior to 0.49.1 that lets an attacker hijack a victim’s full authenticated session by linking a forged OAuth identity to the victim’s account. Patched in version 0.49.1 - update immediately.

Overview

CVE-2026-41574 (CVSS 9.3) stems from how Nhost handles OAuth identity linking during login. The platform automatically merges a new OAuth identity into an existing account when the email addresses match. This behavior is only safe when the OAuth provider has verified the email — but several of Nhost’s provider adapters fail to correctly check that verification status.

The affected adapters include Discord, Bitbucket, Azure AD, and EntraID. They either drop the verified field the provider returns, accept unconfirmed emails as verified, or derive the email address from metadata like user principal names that carry no proof of ownership. An attacker can present an arbitrary email address to Nhost through these broken adapters, have the OAuth profile merged into the victim’s Nhost account, and immediately receive a valid authenticated session.

Impact

A successful exploit gives the attacker full access to the victim’s Nhost account, including all data accessible through GraphQL queries and mutations. Because the account takeover happens during OAuth login and Nhost trusts the spoofed identity, the attacker receives a standard authenticated session token with no additional verification steps.

Remediation

• Upgrade Nhost to version 0.49.1 or later.
• Ensure all deployed Nhost instances are running the patched controller.
• No workaround is available; the issue is in the core identity-merge logic.

Security Insight

This vulnerability illustrates a recurring pattern in OAuth implementations: trusting provider metadata without verifying the ownership chain. When identity linking is automated, the email verification status must be independently confirmed, not blindly accepted from a boolean in the provider’s response. Nhost’s fix corrects the adapter gaps, but the pattern — automatic merge on match — remains a design risk that other frameworks should review.

For related threat intelligence on authentication bypasses and identity spoofing, see our coverage of APT28 DNS hijacking campaigns, SOHO router compromises targeting Microsoft 365 credentials, and zero-day exploitation patterns in identity systems.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs