CVE-2026-34969: Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback

April 1, 2026 (updated April 27, 2026)

The auth service’s OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs.

Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer.

References

docs.nhost.io/products/auth/pkce
github.com/advisories/GHSA-g2qj-prgh-4g9r
github.com/nhost/nhost
github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r
nvd.nist.gov/vuln/detail/CVE-2026-34969

Code Behaviors & Features

Detect and mitigate CVE-2026-34969 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →