Parse Server affected by empty authData bypassing credential requirement on signup
- Severity:
- Medium
Description
A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.49 >= 9.0.0, < 9.6.0-alpha.29** Patched version(s): **8.6.49 9.6.0-alpha.29**
References
Related Issues
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- Parse Server has a protected field change detection oracle via LiveQuery watch parameter - CVE-2026-33429
- Parse Server has a bypass of class-level permissions in LiveQuery - CVE-2026-30947
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 19, 2026