https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-20T09:45:17.107798+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/6ee9f6fa-5054-486e-a910-239303269762/export6ee9f6fa-5054-486e-a910-2393032697622026-06-20T09:45:17.470279+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "6ee9f6fa-5054-486e-a910-239303269762", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-7HGR-XVRR-XPW3", "type": "seen", "source": "https://gist.github.com/alon710/a2e4841e35af8a18a7e5e75c8d1f5747", "content": "# GHSA-7HGR-XVRR-XPW3: GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasura-auth\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-05-08\n> **Full Report:** https://cvereports.com/reports/GHSA-7HGR-XVRR-XPW3\n\n## Summary\nA critical session management vulnerability in Nhost's authentication service allows attackers to maintain unauthorized access following a password reset. The password update operation fails to invalidate existing refresh tokens in the database, violating standard session revocation principles and rendering password changes ineffective as an incident response measure.\n\n## TL;DR\nNhost's hasura-auth component fails to clear active refresh tokens upon a password change. Attackers holding stolen tokens can continue generating valid access tokens indefinitely.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-613: Insufficient Session Expiration\n- **Attack Vector**: Network (Requires stolen refresh token)\n- **Estimated CVSS**: 7.5 (High)\n- **Impact**: Persistent unauthorized access post-credential rotation\n- **Exploit Status**: Conceptually straightforward, requires prerequisite compromise\n- **Patch Status**: Fixed in PR #4192\n\n## Affected Systems\n\n- Nhost hasura-auth backend service\n- Nhost nhost-js client SDK\n- **hasura-auth**: < PR #4192 (Fixed in: `PR #4192`)\n- **nhost-js**: < PR #4192 (Fixed in: `PR #4192`)\n\n## Mitigation\n\n- Upgrade the Nhost backend services to a release subsequent to PR #4192.\n- Upgrade the nhost-js SDK to incorporate the updateSessionFromResponseMiddleware.\n- Implement continuous monitoring on the auth.refresh_tokens table for anomalous long-lived entries.\n- Educate users to manually terminate active sessions if native global logout is unsupported in their current deployment.\n\n**Remediation Steps:**\n1. Review the current deployment version of hasura-auth and nhost-js.\n2. Update the backend Go service with the CTE SQL modifications to ensure atomic token deletion.\n3. Update all frontend clients leveraging the nhost-js SDK to force local storage clearing on password changes.\n4. Run a manual cleanup script targeting the auth.refresh_tokens table for any accounts modified prior to the patch application.\n\n## References\n\n- [GitHub Advisory: Session Persistence After Password Change](https://github.com/advisories/GHSA-7HGR-XVRR-XPW3)\n- [Pull Request 4192: Fix session invalidation on password change](https://github.com/nhost/nhost/pull/4192)\n- [Commit 52c70664a7e92031e592b873471939b10ca18079](https://github.com/nhost/nhost/commit/52c70664a7e92031e592b873471939b10ca18079)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-7HGR-XVRR-XPW3) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T18:10:29.000000Z"}2026-05-08T18:10:29+00:00