Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.52 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4Patch
- https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f67Patch
- https://github.com/parse-community/parse-server/pull/10246Issue Tracking
- https://github.com/parse-community/parse-server/pull/10247Issue Tracking
- https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wvVendor Advisory
FAQ
What is CVE-2026-33409?
CVE-2026-33409 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an at...
How severe is CVE-2026-33409?
CVE-2026-33409 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33409?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.