GHSA-7HGR-XVRR-XPW3: GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasu…

1 / 2

GHSA-7HGR-XVRR-XPW3: GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasura-auth

DEV Community·CVE Reports·24 days ago

#z0ykvtRd

#security #cve #cybersecurity #ghsa #nhost #password

Reading 0:00

15s threshold

GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasura-auth Vulnerability ID: GHSA-7HGR-XVRR-XPW3 CVSS Score: 7.5 Published: 2026-05-08 A critical session management vulnerability in Nhost's authentication service allows attackers to maintain unauthorized access following a password reset. The password update operation fails to invalidate existing refresh tokens in the database, violating standard session revocation principles and rendering password changes ineffective as an incident response measure. TL;DR Nhost's hasura-auth component fails to clear active refresh tokens upon a password change. Attackers holding stolen tokens can continue generating valid access tokens indefinitely.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-7HGR-XVRR-XPW3: GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasura-auth