Unauthenticated Account Takeover Vulnerability in Parse Server by Parse Community
CVE-2026-32248

9.3CRITICAL

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
12 March 2026

What is CVE-2026-32248?

Parse Server, an open-source backend framework that operates on Node.js, is vulnerable to an unauthenticated account takeover due to improper validation of user identifier formats in certain authentication providers. Attackers can exploit this vulnerability by sending a specially crafted login request, which may lead the server to conduct a pattern-matching query instead of an exact-match lookup. This flaw allows the attacker to impersonate an existing user by obtaining a valid session token for their account. The vulnerability impacts deployments that allow anonymous authentication, a setting that is enabled by default in many servers. Updates are available, and users are urged to upgrade to versions 9.6.0-alpha.12 or 8.6.38 to mitigate this risk.

Affected Version(s)

parse-server >= 9.0.0, < 9.6.0-alpha.12 < 9.0.0, 9.6.0-alpha.12

parse-server < 8.6.38 < 8.6.38

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.