Denial of Service Vulnerability in Parse Server by Parse Community
CVE-2026-33538

8.7HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33538?

Parse Server, a widely-used open-source backend framework, has a vulnerability that allows unauthenticated attackers to create denial of service conditions. When an attacker sends authentication requests containing arbitrary provider names that are not configured, the server conducts a database query for each provider. This results in full collection scans on the user database, as there is no index for these unconfigured providers, severely taxing database resources and potentially leading to resource saturation. This vulnerability impacts versions prior to 8.6.58 and 9.6.0-alpha.52. The issue has been resolved in the latest releases.

Affected Version(s)

parse-server < 8.6.58 < 8.6.58

parse-server >= 9.0.0, < 9.6.0-alpha.52 < 9.0.0, 9.6.0-alpha.52

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10270
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10271
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.