Home / Vulnerability Intelligence / CVE-2026-34200

CVE-2026-34200 - Vulnerability Analysis

N/a

Last Updated: March 31, 2026

Nhost CLI MCP - Cross-Site Request Forgery

Published: March 31, 2026Updated: March 31, 2026PoC Available

Overview

Nhost CLI MCP server < 1.41.0 contains a cross-site request forgery caused by lack of inbound authentication and missing strict CORS enforcement, letting malicious websites on the same machine invoke privileged tools using local credentials, exploit requires explicit non-default configuration.

Severity & Score

Severity: N/a

Impact

Malicious websites on the same machine can invoke privileged tools using developer's credentials, potentially leading to unauthorized actions.

Mitigation

Update to version 1.41.0 or later.

References

https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2
https://github.com/nhost/nhost/commit/15eae9285f9dce63e184b9bb24616474ffa5ccc9
https://github.com/nhost/nhost/pull/4060

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34200
Severity: N/a
Type: cross_site_request_forgery
Status: new

CWE

CWE-306

CVSS Metrics

N/A