AIKIDO-2026-714632
nango is vulnerable to Observable Response Discrepancy
25
Low Risk
This Affects:
nangoTL;DR
The nango self-hosted server exposes a password reset endpoint at POST /api/v1/account/forgot-password that returns different responses depending on whether the submitted email belongs to a registered account. Unknown emails receive an HTTP 400 user_not_found error while existing emails receive an HTTP 200 success response, letting an unauthenticated attacker enumerate valid accounts. The fix makes the endpoint always return the same HTTP 200 success response, running the reset flow only when the account exists and swallowing internal errors so responses are indistinguishable.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your deployment exposes the local email/password authentication flow.
Background info
nango is vulnerable to Observable Response Discrepancy in versions 0.16.0 - 0.70.7.
How to fix this
Upgrade the nango library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant