CVE-2026-41574 - Nhost OAuth email verification bypass

rg -n "github.com/nhost/nhost|nhost|providerFlowSignIn|InsertUserProvider|EmailVerified|email_verified|verified|is_confirmed|discord|bitbucket|azuread|entraid|oauth|oidc" .
go list -m all | rg 'github.com/nhost/nhost'
rg -n "AUTH|OAUTH|OIDC|DISCORD|BITBUCKET|AZURE|ENTRA|NHOST" .env* Dockerfile* docker-compose*.yml charts deploy k8s helm .github .

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-41574 / GHSA-6g38-8j4p-j3pr (Nhost OAuth email
verification bypass leading to account takeover). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Nhost or fixes the OAuth
  account-linking guard, adds regression coverage, and documents operator
  actions, or
- TRIAGE.md if this repository does not own an affected Nhost Auth deployment
  or cannot make a safe change.

## Rules

- Scope only CVE-2026-41574 / GHSA-6g38-8j4p-j3pr.
- Treat OAuth tokens, ID tokens, refresh tokens, cookies, session IDs, user
  profile payloads, provider IDs, emails, audit logs, and linked-account data as
  sensitive.
- Do not create test accounts using real victim emails or real production
  identity providers.
- Do not silently unlink, merge, delete, or relink user identities.
- Do not log token material or full provider payloads.
- Do not auto-merge.

## Steps

1. Inventory every Nhost Auth asset controlled by this repository:
   Go modules, vendor trees, generated clients, Dockerfiles, compose files,
   Helm/Kubernetes manifests, Terraform, CI images, SBOMs, runbooks,
   environment templates, auth configuration, and deployment docs.
2. Determine whether `github.com/nhost/nhost` resolves below
   `0.0.0-20260417112436-ec8dab3f2cf4`.
3. Identify enabled OAuth/OIDC providers, especially Discord, Bitbucket,
   AzureAD, and EntraID. Include local, staging, production, preview, and
   self-hosted configurations.
4. Search account-linking code and provider adapters for `EmailVerified`,
   `email_verified`, `verified`, `is_confirmed`, `InsertUserProvider`,
   `providerFlowSignIn`, fallback email logic, `preferred_username`, user
   principal name, and `email != ""` verification shortcuts.
5. If this repository does not own an affected Nhost Auth deployment, stop with
   `TRIAGE.md` listing files checked, resolved versions, enabled providers if
   visible, suspected runtime owner, and the exact upgrade requested.
6. Prefer upgrading to `github.com/nhost/nhost`
   `0.0.0-20260417112436-ec8dab3f2cf4+`. Regenerate `go.sum`, vendor metadata,
   SBOMs, images, and rendered deployment manifests.
7. If this repository owns a fork or equivalent auth code, patch the invariant:
   - never auto-link an incoming provider identity to an existing account unless
     the provider email is explicitly verified by that provider;
   - reject Discord emails when the provider `verified` value is false or
     absent;
   - reject Bitbucket emails unless they come from a confirmed email record;
   - do not use AzureAD or EntraID `preferred_username`, UPN, or equivalent
     tenant-local identifiers as verified external email ownership proof;
   - fail closed for provider adapters that cannot prove email verification.
8. Add regression tests:
   - unverified Discord email does not link to an existing account;
   - Bitbucket unconfirmed fallback email does not link;
   - AzureAD/EntraID fallback identifiers do not link as verified email;
   - verified provider email still links only when provider ID and tenant
     constraints are valid;
   - a custom/new provider with missing verification data fails closed.
9. Add temporary containment if upgrade cannot be deployed immediately:
   - disable affected OAuth providers;
   - block automatic provider linking by email;
   - require existing-session reauthentication for privileged users;
   - increase audit logging without recording secrets.
10. Add a PR body section named `CVE-2026-41574 operator actions` that states:
    - affected Nhost version before and after;
    - enabled OAuth/OIDC providers;
    - whether automatic provider linking by email was enabled;
    - which sessions, cookies, refresh tokens, or auth caches must be expired;
    - how to audit provider links created during the vulnerable window;
    - which suspicious linked identities require human-reviewed unlinking or
      account recovery.
11. Run relevant validation: auth unit tests, provider adapter tests,
    integration tests with mocked provider payloads, `go test ./...`,
    dependency/security scan, SBOM refresh, image build, and deployment render.
12. Use PR title:
    `fix(sec): enforce verified OAuth email linking in Nhost`

## Stop conditions

- No affected Nhost Auth deployment is controlled by this repository.
- A fixed Nhost revision cannot be consumed without a broader auth migration.
- Provider-link cleanup requires changing real user ownership without an
  operator-approved recovery plan.
- Verification would require real provider accounts, production emails, or
  production tokens.
- Tests fail for unrelated pre-existing reasons; document those failures
  instead of broadening scope.