High severity7.5NVD Advisory· Published Mar 31, 2026· Updated Apr 7, 2026

CVE-2026-34200

Description

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to issue cross-origin requests to the MCP server and invoke privileged tools using the developer's locally configured credentials. This vulnerability requires two explicit, non-default configuration steps to be exploitable. The default nhost mcp start configuration is not affected. This issue has been patched in version 1.41.0.

Affected products

Nhost/Cli
cpe:2.3:a:nhost:cli:*:*:*:*:*:*:*:*
Range: <1.41.0

Patches

15eae9285f9d

https://github.com/nhost/nhostvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/nhost/nhost/commit/15eae9285f9dce63e184b9bb24616474ffa5ccc9nvdPatch
github.com/nhost/nhost/pull/4060nvdIssue TrackingPatch
github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2nvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000