Parse Server: Account takeover via operator injection in authentication data identifier
- Severity:
- High
Description
An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication).
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.38 >= 9.0.0, < 9.6.0-alpha.12** Patched version(s): **8.6.38 9.6.0-alpha.12**
References
Related Issues
- Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
- Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter - CVE-2026-27804
- Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 13, 2026