CVE-2026-33409 HIGH

CVE-2026-33409: Parse Server: Auth provider validation bypass on login via partial authData

Vendor Parse-Community
Product parse-server
Weakness CWE-287 · Improper authentication
Published March 24, 2026
Last update March 25, 2026

CVSS base score

7.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.

Key dates

02Disclosure timeline

March 24, 2026 CVE published
March 25, 2026 Record updated