Description
The Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.51 >= 9.0.0, < 9.6.0-alpha.40** Patched version(s): **8.6.51 9.6.0-alpha.40**
References
Related Issues
- Parse Server vulnerable to user enumeration via email verification endpoint - CVE-2026-31901
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
- Parse Server leaks protected fields via LiveQuery afterEvent trigger - CVE-2026-33163
- parse-server: Malformed `$regex` query leaks database error details in API response - CVE-2026-30835
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 19, 2026