Timing Attack Vulnerability in Parse Server by Parse Community
CVE-2026-39321

6.3MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
7 April 2026

What is CVE-2026-39321?

Parse Server, an open-source backend solution for Node.js, has a vulnerability that allows attackers to exploit the timing difference in login endpoint responses. When an attacker submits a username or email that does not exist, the server responds quickly. However, if the username exists but the password is incorrect, the server introduces significant delay due to bcrypt comparison. This discrepancy can lead to unauthorized enumeration of valid usernames, exposing the application to further attacks. The issue is resolved in versions 9.8.0-alpha.6 and 8.6.74.

Affected Version(s)

parse-server >= 9.0.0, < 9.8.0-alpha.6 < 9.0.0, 9.8.0-alpha.6

parse-server < 8.6.74 < 8.6.74

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10398
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10399
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.