Authentication Bypass in Parse Server Affects User Accounts
CVE-2026-33409

7HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33409?

An authentication bypass vulnerability in Parse Server allows an attacker to gain unauthorized access to user accounts linked to third-party authentication providers. By simply knowing a user's provider ID, the attacker can log in as that user, resulting in full access to their account without needing any credentials. This vulnerability is specifically prevalent when the server option 'allowExpiredAuthDataToken' is enabled. Thankfully, the issue has been addressed in Parse Server versions 8.6.52 and 9.6.0-alpha.41, and users are urged to upgrade to these versions to ensure their accounts remain secure.

Affected Version(s)

parse-server < 8.6.52 < 8.6.52

parse-server >= 9.0.0, < 9.6.0-alpha.41 < 9.0.0, 9.6.0-alpha.41

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10246
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10247
x_refsource_MISC

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.