Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.

INFO

Published Date :

2026-03-24T18:11:36.824Z

Last Modified :

2026-03-25T13:39:23.559Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33409 vulnerability.

Vendors Products
Parse Community
  • Parse Server
Parseplatform
  • Parse-server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33409.

URL Resource
https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c cve-icon cve-icon
https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d cve-icon cve-icon
https://github.com/parse-community/parse-server/pull/10246 cve-icon cve-icon
https://github.com/parse-community/parse-server/pull/10247 cve-icon cve-icon
https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact