Parse Server affected by empty authData bypassing credential requirement on signup

Description

A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.49

  >= 9.0.0, < 9.6.0-alpha.29**

• Patched version(s): **8.6.49

  9.6.0-alpha.29**

References

• GHSA-wjqw-r9x4-j59v
• CVE-2026-33042
• CWE-287
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
• Parse Server has an MFA single-use token bypass via concurrent authData login requests - CVE-2026-34224
• Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
• Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828

You might also like:

Exploiting Server Version Disclosure

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

parse-server