Description
The Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.51 >= 9.0.0, < 9.6.0-alpha.40** Patched version(s): **8.6.51 9.6.0-alpha.40**
References
Related Issues
- Parse Server vulnerable to user enumeration via email verification endpoint - CVE-2026-31901
- Parse Server has a login timing side-channel reveals user existence - CVE-2026-39321
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
- Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 30, 2026