Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning — CVE-2026-46342

Summary

### Summary The `/__nuxt_island/*` endpoint accepts attacker-controlled `props` query/body parameters and renders any island component without verifying that the URL-resident hash (`<Name>_<hashId>.json`) was actually issued for those inputs by `<NuxtIsland>`. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the…

Product

npm: nuxt | npm: @nuxt/nitro-server

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source
• CVE Record
• NVD

Related advisories