Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.34 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/releases/tag/8.6.34ProductRelease Notes
- https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8ProductRelease Notes
- https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hfPatchVendor Advisory
FAQ
What is CVE-2026-31901?
CVE-2026-31901 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) r...
How severe is CVE-2026-31901?
CVE-2026-31901 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-31901?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.