Platform
nodejs
Component
nhost
Fixed in
1.41.1
A security vulnerability (CVE-2026-34200) has been identified in the Nhost CLI, affecting versions up to 1.41.0. This issue allows malicious websites on the same machine to bypass CORS restrictions and execute privileged commands within the Nhost environment, potentially compromising developer credentials. The vulnerability requires specific, non-default configuration settings to be exploitable, and the default Nhost MCP start configuration is not affected. A fix is available in version 1.41.0.
The primary impact of CVE-2026-34200 is the potential for unauthorized access and execution of privileged commands within the Nhost CLI environment. An attacker could leverage this vulnerability to gain control over the developer's Nhost project, potentially accessing sensitive data, modifying configurations, or deploying malicious code. The attack requires the developer to have explicitly configured the Nhost MCP server to listen on a network port, a non-default setting. Successful exploitation hinges on the attacker's ability to craft cross-origin requests that are accepted by the unauthenticated MCP server, effectively impersonating the developer.
CVE-2026-34200 was publicly disclosed on 2026-03-31. There are currently no known public proof-of-concept exploits available. The vulnerability's exploitation requires specific configuration steps, which may limit its immediate exploitability. It is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34200 is to upgrade the Nhost CLI to version 1.41.0 or later, which includes the necessary security fixes. If upgrading is not immediately feasible, avoid explicitly configuring the Nhost MCP server to listen on a network port. This is the default configuration and is not vulnerable. Additionally, implement strict CORS policies on any web applications that interact with the Nhost CLI to prevent unauthorized cross-origin requests. Regularly review Nhost CLI configurations to ensure adherence to security best practices.
Update the Nhost CLI to version 1.41.0 or higher. This corrects the lack of inbound authentication on the MCP server when configured explicitly to listen on a network port. The update mitigates the risk of malicious websites executing cross-origin requests to the MCP server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34200 is a vulnerability in Nhost CLI versions ≤ 1.41.0 that allows malicious websites to bypass CORS and execute privileged commands using developer credentials. It requires specific configuration.
You are affected if you are using Nhost CLI versions prior to 1.41.0 and have explicitly configured the MCP server to listen on a network port.
Upgrade to Nhost CLI version 1.41.0 or later. If immediate upgrade is not possible, avoid configuring the MCP server to listen on a network port.
As of the public disclosure date, there are no known active exploits, but vigilance is advised.
Refer to the official Nhost security advisories on their website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.