CVE-2026-56326 Nuxt CVE debrief

Who should care

Developers and administrators using Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of Nuxt and implementing additional security measures to prevent phishing attacks and OAuth authorization-code theft. Organizations that use Nuxt-based applications should also be aware of this vulnerability and ensure that their applications are updated to a secure version.

Technical summary

The vulnerability is caused by a lack of proper validation of path-normalized payloads in the navigateTo function of Nuxt. This allows an attacker to bypass external-host checks and redirect users to attacker-controlled sites. The vulnerability can be exploited via the Location header or meta-refresh. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

This vulnerability has a medium severity and a CVSS score of 5.3. It is recommended that affected systems be patched as soon as possible to prevent exploitation.

Recommended defensive actions

• Upgrade to Nuxt version 4.4.7 or later
• Upgrade to Nuxt version 3.21.7 or later
• Implement additional security measures to prevent phishing attacks and OAuth authorization-code theft
• Monitor applications for suspicious activity
• Ensure that applications are updated to a secure version

Evidence notes

The CVE record for CVE-2026-56326 was obtained from the official CVE website. The vulnerability details were obtained from the NVD database and the Nuxt security advisory. The CVSS vector was obtained from the NVD database.

Official resources