Insecure session management In github.com/nhost/nhost
Description
nhost has Session Persistence After Password Change
Description
When a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the ChangePassword workflow correctly hashes and persists the new password via UpdateUserChangePassword. However, it does not revoke existing sessions. The auth.refresh_tokens and auth.oauth2_refresh_tokens tables are left untouched, meaning all previously issued refresh tokens remain valid and can continue generating new access tokens indefinitely.
This vulnerability affects all password change paths (handled in change_user_password.go), since they share the same underlying workflow:
Authenticated password change via the Nhost dashboard or client SDK
Ticket-based password reset (magic links / recovery flows)
OAuth2/OIDC sessions managed via auth.oauth2_refresh_tokens
Attack Scenario
An attacker steals a victim's refresh token via XSS or a compromised device.
The victim changes their password, expecting it to terminate all active sessions.
The server updates password_hash but performs no session cleanup, the stolen token remains fully functional.
Impact
The attacker retains persistent access even after the victim's password change. This is especially severe in credential theft scenarios, where the victim's only recovery action does nothing against an active session. Depending on configured TTL, the attacker's window could be days or weeks.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | github.com/nhost/nhost | 0.0.0-20260430132514-52c70664a7e9 |
Aliases
References