User Enumeration Vulnerability in Parse Server by Parse Community
CVE-2026-33323

6.3MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33323?

An information disclosure vulnerability exists in the Pages route and legacy PublicAPI route of Parse Server, which can lead to unauthorized username enumeration. This issue arises from differing responses based on whether a provided username corresponds to an existing user with an unverified email. Attackers can exploit this flaw to identify valid usernames simply by observing the responses of the API. This vulnerability was addressed in versions 8.6.51 and 9.6.0-alpha.40, with enhancements to the email verification process that now apply to these routes.

Affected Version(s)

parse-server < 8.6.51 < 8.6.51

parse-server >= 9.0.0, < 9.6.0-alpha.40 < 9.0.0, 9.6.0-alpha.40

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10238
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10243
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.