CVE-2026-56697 Nuxt CVE debrief

Who should care

Developers and administrators using Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 should be aware of this vulnerability. Attackers can exploit this vulnerability to redirect users to malicious sites, potentially leading to phishing and OAuth authorization-code theft. Users of affected versions should prioritize patching to prevent potential attacks.

Technical summary

The vulnerability in Nuxt arises from the acceptance of protocol-relative paths, such as //evil.com, in the reloadNuxtApp function. These paths pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. This allows attackers to inject paths like //evil.com to redirect users to attacker-controlled hosts. The vulnerability is classified under CWE-601, indicating a URL Redirection to Untrusted Site ('Open Redirect').

Defensive priority

Patching to the latest version of Nuxt is highly recommended. Developers should update to version 4.4.7 or later for 4.x versions and 3.21.7 or later for 3.x versions.

Recommended defensive actions

• Patch to the latest version of Nuxt.
• Review and update affected Nuxt applications.
• Monitor for suspicious redirect activity.
• Implement additional security measures for OAuth authorization flows.
• Educate users about phishing risks.

Evidence notes

The CVE-2026-56697 vulnerability was published in the NVD database and has a CVSS score of 5.3. The vulnerability affects Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7. Limited information is available about the specific exploits or attacks in the wild.

Official resources