OAuth email verification bypass enables Nhost account takeover

TL;DR — Nhost’s OAuth sign-in flow can be turned into an account-takeover primitive when provider adapters mislabel unverified emails as verified, causing attacker-controlled identities to be linked to victim accounts.

What happened

Nhost is an open-source backend platform that provides application services including user authentication. A GitHub-reviewed advisory (GHSA-6g38-8j4p-j3pr) describes a Critical OAuth account-linking flaw where Nhost automatically links an incoming OAuth identity to an existing Nhost user when email addresses match, relying on a provider-supplied profile.EmailVerified boolean.

The advisory states multiple provider adapters incorrectly populate profile.EmailVerified: Discord drops the provider’s verified field and effectively treats “email present” as “email verified”; Bitbucket can fall back to an unconfirmed email and still mark it verified; and Microsoft providers (AzureAD, EntraID) derive email from non-ownership-proving fields (e.g., UPN / principal name) and mark it verified. The advisory’s described result: an attacker can present an email they don’t own, have the OAuth identity merged into the victim’s Nhost account, and receive a full authenticated session.

Why it matters: “email match” account-linking is a common SaaS pattern; when email_verified semantics drift across OAuth providers and adapters, it turns identity federation into a repeatable account-takeover path rather than a convenience feature.

Who is impacted

• Deployments using github.com/nhost/nhost with OAuth providers where adapters mishandle email verification (the advisory calls out Discord, Bitbucket, AzureAD, and EntraID).
• Any environment where account linking by email is enabled/relied upon for auth flows.

Additional signals from the advisory:

• CVSS v4 overall score is listed as 9.3 (Critical).
• CVE status is listed as No known CVE at publication time.
• Root cause is described in services/auth/go/controller/sign_in_id_token.go where providerFlowSignIn() links identities “by email match with no verification guard,” and the controller trusts whatever profile.EmailVerified the provider adapter returns.

What to do now

• Follow vendor remediation guidance and apply the advisory’s patched release.

  Patched versions: 0.0.0-20260417112436-ec8dab3f2cf4.

• Inventory where Nhost auth is deployed and determine whether Discord, Bitbucket, AzureAD, or EntraID OAuth providers are enabled in production.
• If you cannot patch immediately, consider compensating controls that reduce exposure while you schedule the update (for example, temporarily disabling affected OAuth providers or tightening who can use them), and document the operational tradeoff.
• If compromise is suspected, review auth/audit logs for unexpected provider-identity linking events and treat affected accounts as potentially taken over (session invalidation and credential/token rotation as appropriate for your environment).