Parse Server: Account takeover via operator injection in authentication data identifier

Description

An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication).

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.38

  >= 9.0.0, < 9.6.0-alpha.12**

• Patched version(s): **8.6.38

  9.6.0-alpha.12**

References

• GHSA-5fw2-8jcv-xh87
• CVE-2026-32248
• CWE-943
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
• Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter - CVE-2026-27804
• Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
• Parse Server: Pre-authentication denial of service via client version header regex backtracking - CVE-2026-47138

You might also like:

How do hackers hack websites?

Exploiting Server Version Disclosure

Update Cheat Sheet for Developers

Tags:

npm

parse-server