CVE-2026-33409
CRITICALParse Server: Auth provider validation bypass on login via partial authData
Title source: cnaDescription
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr
X_Refsource_Misc x_refsource_misc
https://github.com/parse-community/parse-server/pull/10246
X_Refsource_Misc x_refsource_misc
https://github.com/parse-community/parse-server/pull/10247
X_Refsource_Misc x_refsource_misc
https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c
X_Refsource_Misc x_refsource_misc
https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d
Scores
CVSS v3
9.1
EPSS
0.0046
EPSS Percentile
35.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (5)
npm/parse-server
9.0.0 - 9.6.0-alpha.41npm
parse-community/parse-server
< 8.6.52
parse-community/parse-server
>= 9.0.0, < 9.6.0-alpha.41
parseplatform/parse-server
9.6.0 alpha1 (40 CPE variants)
parseplatform/parse-server
< 8.6.52
Published
Mar 24, 2026
Tracked Since
Mar 25, 2026