Plateforme
nodejs
Composant
nhost
Corrigé dans
1.41.1
A security vulnerability (CVE-2026-34200) has been identified in the Nhost CLI, affecting versions up to 1.41.0. This issue allows malicious websites on the same machine to bypass CORS restrictions and execute privileged commands within the Nhost environment, potentially compromising developer credentials. The vulnerability requires specific, non-default configuration settings to be exploitable, and the default Nhost MCP start configuration is not affected. A fix is available in version 1.41.0.
The primary impact of CVE-2026-34200 is the potential for unauthorized access and execution of privileged commands within the Nhost CLI environment. An attacker could leverage this vulnerability to gain control over the developer's Nhost project, potentially accessing sensitive data, modifying configurations, or deploying malicious code. The attack requires the developer to have explicitly configured the Nhost MCP server to listen on a network port, a non-default setting. Successful exploitation hinges on the attacker's ability to craft cross-origin requests that are accepted by the unauthenticated MCP server, effectively impersonating the developer.
CVE-2026-34200 was publicly disclosed on 2026-03-31. There are currently no known public proof-of-concept exploits available. The vulnerability's exploitation requires specific configuration steps, which may limit its immediate exploitability. It is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation.
Developers using Nhost CLI who have explicitly configured the MCP server to listen on a network port are at the highest risk. Shared hosting environments where developers may not have full control over their Nhost CLI configuration are also potentially vulnerable.
• nodejs / server: Monitor Nhost CLI processes for unexpected network activity. Use lsof or netstat to identify if the MCP server is listening on a network port.
lsof -i :8080 # Replace 8080 with the port if known• generic web: Examine web server access logs for unusual cross-origin requests targeting the Nhost MCP server. Look for requests originating from unexpected domains. • generic web: Check Nhost CLI configuration files for explicit network port configurations. These files typically reside in the project directory.
disclosure
Statut de l'Exploit
EPSS
0.10% (percentile 27%)
CISA SSVC
The primary mitigation for CVE-2026-34200 is to upgrade the Nhost CLI to version 1.41.0 or later, which includes the necessary security fixes. If upgrading is not immediately feasible, avoid explicitly configuring the Nhost MCP server to listen on a network port. This is the default configuration and is not vulnerable. Additionally, implement strict CORS policies on any web applications that interact with the Nhost CLI to prevent unauthorized cross-origin requests. Regularly review Nhost CLI configurations to ensure adherence to security best practices.
Mettez à jour la CLI de Nhost à la version 1.41.0 ou supérieure. Cela corrige l'absence d'authentification entrante sur le serveur MCP lorsqu'il est configuré explicitement pour écouter sur un port réseau. La mise à jour atténue le risque que des sites web malveillants exécutent des requêtes cross-origin vers le serveur MCP.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34200 is a vulnerability in Nhost CLI versions ≤ 1.41.0 that allows malicious websites to bypass CORS and execute privileged commands using developer credentials. It requires specific configuration.
You are affected if you are using Nhost CLI versions prior to 1.41.0 and have explicitly configured the MCP server to listen on a network port.
Upgrade to Nhost CLI version 1.41.0 or later. If immediate upgrade is not possible, avoid configuring the MCP server to listen on a network port.
As of the public disclosure date, there are no known active exploits, but vigilance is advised.
Refer to the official Nhost security advisories on their website or GitHub repository for the latest information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.