CVE-2026-31828

HIGH

Parse Server <9.5.2-alpha.13/8.6.26 - LDAP Injection

Title source: llm

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.

References (3)

[Vendor Advisory] https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c

[Release Notes] https://github.com/parse-community/parse-server/releases/tag/8.6.26

[Release Notes] https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13

Scores

CVSS v3 8.8

EPSS 0.0014

EPSS Percentile 33.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-90

Status published

Products (3)

npm/parse-server 9.0.0-alpha.1 - 9.5.2-alpha.13npm

parseplatform/parse-server 9.5.2 alpha1 (12 CPE variants)

parseplatform/parse-server < 8.6.26

Published Mar 10, 2026

Tracked Since Mar 11, 2026