7.7
CVE-2026-34200
- EPSS 0.36%
- Veröffentlicht 31.03.2026 13:57:42
- Zuletzt bearbeitet 07.04.2026 21:08:51
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginNhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port
Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to issue cross-origin requests to the MCP server and invoke privileged tools using the developer's locally configured credentials. This vulnerability requires two explicit, non-default configuration steps to be exploitable. The default nhost mcp start configuration is not affected. This issue has been patched in version 1.41.0.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.36% | 0.277 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 7.7 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-942 Permissive Cross-domain Policy with Untrusted Domains
The product uses a cross-domain policy file that includes domains that should not be trusted.
https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2
https://github.com/nhost/nhost/pull/4060
https://github.com/nhost/nhost/commit/15eae9285f9dce63e184b9bb24616474ffa5ccc9