Skip to content

Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass

Critical severity GitHub Reviewed Published Apr 17, 2026 in nhost/nhost • Updated Apr 18, 2026

Package

gomod github.com/nhost/nhost (Go)

Affected versions

< 0.0.0-20260417112436-ec8dab3f2cf4

Patched versions

0.0.0-20260417112436-ec8dab3f2cf4

Description

Summary

Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter.

The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified.

The result is that an attacker can present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and receive a full authenticated session.

Root Cause

In services/auth/go/controller/sign_in_id_token.go, providerFlowSignIn() links a new provider identity to an existing account by email match with no verification guard:

// sign_in_id_token.go:267-296
func (ctrl *Controller) providerFlowSignIn(
    ctx context.Context,
    user sql.AuthUser,
    providerFound bool,
    provider string,
    providerUserID string,
    logger *slog.Logger,
) (*api.Session, *APIError) {
    if !providerFound {
        // Links attacker's provider identity to the victim's account.
        // profile.EmailVerified is NEVER checked here.
        ctrl.wf.InsertUserProvider(ctx, user.ID, provider, providerUserID, logger)
    }
    // Issues a full session  to the attacker.
    session, _ := ctrl.wf.NewSession(ctx, user, nil, logger)
    return session, nil
}

The controller places full trust in whatever profile.EmailVerified the adapter returned. The vulnerabilities below show how that trust is violated.

Correct Implementation (For Reference)

GitHub: providers/github.go

GitHub fetches /user/emails and reads the verified boolean per entry. selectEmail() picks only verified emails. The result is correctly mapped:

selected := selectEmail(emails)   // only selects verified: true entries

return oidc.Profile{
    Email:         selected.Email,
    EmailVerified: selected.Verified,  // real boolean from GitHub API
    ...
}

Vulnerable Providers

1. Discord: providers/discord.go

The Discord GET /users/@me API returns a verified boolean field. Per Discord's official documentation and example User Object:

{
  "id": "80351110224678912",
  "username": "Nelly",
  "email": "nelly@discord.com",
  "verified": true
}

The Nhost struct is missing this field. Go's JSON decoder silently discards it:

type discordUserProfile struct {
    ID            string `json:"id"`
    Username      string `json:"username"`
    Discriminator string `json:"discriminator"`
    Email         string `json:"email"`
    Locale        string `json:"locale"`
    Avatar        string `json:"avatar"`
    // MISSING: Verified bool `json:"verified"`
}

The adapter then sets:

EmailVerified: userProfile.Email != "",  // always true when email is present

Why this is exploitable: Discord allows users to create account without verifying the email address and change their email address without immediately verifying it. After changing email, the account has "verified": false in the API response until the user clicks a confirmation link. An attacker can change their Discord email to the victim's address, leave it unverified, and the Nhost adapter will still present EmailVerified: true, because it never reads the verified field at all.

Fix:

type discordUserProfile struct {
    ID            string `json:"id"`
    Username      string `json:"username"`
    Discriminator string `json:"discriminator"`
    Email         string `json:"email"`
    Verified      bool   `json:"verified"`   // add this
    Locale        string `json:"locale"`
    Avatar        string `json:"avatar"`
}

return oidc.Profile{
    Email:         userProfile.Email,
    EmailVerified: userProfile.Verified,    // use it
    ...
}

2. Bitbucket: providers/bitbucket.go

The Bitbucket adapter correctly queries /user/emails for confirmed entries, but introduces a fallback that defeats its own check:

// bitbucket.go:103-132
for _, e := range emailResp.Values {
    if e.IsConfirmed {
        primaryEmail = e.Email
        break
    } else if fallbackEmail == "" {
        fallbackEmail = e.Email     // stores unconfirmed email
    }
}

if primaryEmail == "" {
    if fallbackEmail == "" {
        return oidc.Profile{}, ErrNoConfirmedBitbucketEmail
    }
    primaryEmail = fallbackEmail    //  uses unconfirmed email
}

return oidc.Profile{
    Email:         primaryEmail,
    EmailVerified: primaryEmail != "",  //  marks it true anyway
    ...
}

Bitbucket's /user/emails endpoint returns all emails, including unconfirmed ones with "is_confirmed": false. An attacker can add the victim's email to their Bitbucket account without confirming it, triggering the fallback path.

Fix:

if primaryEmail == "" {
    // Remove the fallback entirely  no confirmed email means no sign-in
    return oidc.Profile{}, ErrNoConfirmedBitbucketEmail
}

3. AzureAD: providers/azuread.go

AzureAD derives the email through a chain of fallbacks from the userinfo response:

email := userProfile.Email
if email == "" {
    email = userProfile.Prefer   // "preferred_username"  not an email ownership proof
}
if email == "" {
    email = userProfile.UPN      // User Principal Name  not an email ownership proof
}

return oidc.Profile{
    Email:         email,
    EmailVerified: email != "",  // marked verified regardless of source
    ...
}

preferred_username and UPN are internal Azure AD identity attributes. A UPN like attacker@tenant.onmicrosoft.com or a custom UPN set to ceo@target-company.com does not prove that the user controls that external email address. Yet Nhost will treat it as a verified email claim and merge identities if an existing account matches.

Fix: Do not fall back to preferred_username or UPN for account-linking email. Only use a field that Azure AD explicitly certifies as a verified external email (or use the OIDC id_token with the email_verified claim from Azure's v2 endpoint).

4. EntraID: providers/entraid.go

Same pattern as AzureAD. The EntraID adapter reads from graph.microsoft.com/oidc/userinfo but the struct has no email_verified field:

type entraidUser struct {
    Sub        string `json:"sub"`
    GivenName  string `json:"givenname"`
    FamilyName string `json:"familyname"`
    Email      string `json:"email"`
    // MISSING: EmailVerified bool `json:"email_verified"`
}

return oidc.Profile{
    Email:         userProfile.Email,
    EmailVerified: userProfile.Email != "",  // unconditional
    ...
}

Microsoft's OIDC userinfo endpoint does include an email_verified claim per the OpenID Connect specification. Nhost ignores it.

Fix: Add EmailVerified bool \json:"email_verified"`` to the struct and map it correctly.

Attack Scenario (Discord)

Setup: An Nhost application uses Discord OAuth. A victim has an account with admin@target.io.

  1. Attacker opens Discord → User Settings → Account, changes email to admin@target.io, and dismisses the dialog, without clicking the confirmation link.

  2. At this point Discord's API returns "email": "admin@target.io", "verified": false for the attacker's account.

  3. Attacker visits the target application and clicks Sign in with Discord.

  4. Nhost fetches the Discord profile. The missing Verified field in the struct causes the JSON decoder to drop it. The adapter sets EmailVerified: true because "admin@target.io" != "".

  5. Nhost finds the victim's account by email, sees no Discord provider row linked to it, and calls InsertUserProvider to link the attacker's Discord ID.

  6. Nhost issues a full session for the victim's account and returns it to the attacker.

  7. The attacker is now authenticated as the victim.

The attack is silent, the victim receives no notification and the session appears entirely legitimate.

Defense-in-Depth Gap (Informational)

Several other providers also use EmailVerified: email != "", the same logical pattern as the vulnerable ones above. However, these are not currently exploitable because the platforms themselves enforce email verification before returning an address in the API response:

Provider API Field Used Why Not Exploitable Today
Twitch email string only Twitch requires email verification at sign-up; the API never returns an unverified email
GitLab email string only GET /api/v4/user only returns the confirmed primary email
Facebook email via Graph API Facebook only includes email in the response when it is confirmed
Twitter email via verify_credentials Twitter requires a working email address on the account
Spotify email string only Spotify enforces verification before account activation
Windows Live preferred account email Microsoft's Live API only surfaces confirmed addresses
WorkOS email from SSO profile Controlled by the enterprise IdP

These providers happen to be safe due to external platform behavior, not due to any validation in Nhost's code. The email != "" shortcut is fragile:

  • If any of these platforms change how their API works, Nhost silently becomes exploitable for that provider.

  • Any developer adding a new provider in the future will likely copy the same pattern, believing it is the established convention, creating vulnerabilities in new integrations.

For this reason, the controller-level guard in Layer 1 of the fix below is important even beyond the four currently vulnerable providers: it makes the system safe by design regardless of what any individual adapter returns.

Impact

  • Full account takeover of any existing Nhost user.

  • Requires no interaction from the victim.

  • Attacker can change the account email, disable other login methods, and permanently lock out the legitimate owner.

  • Severity escalates to Critical in applications with admin or privileged accounts.

References

@dbarrosop dbarrosop published to nhost/nhost Apr 17, 2026
Published to the GitHub Advisory Database Apr 18, 2026
Reviewed Apr 18, 2026
Last updated Apr 18, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None

CVSS v4 base metrics

Exploitability Metrics
Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.
Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.
Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.
Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.
Vulnerable System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
Subsequent System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS score

Weaknesses

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-6g38-8j4p-j3pr

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.