Description
The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.74 >= 9.0.0, < 9.8.0-alpha.6** Patched version(s): **8.6.74 9.8.0-alpha.6**
References
Related Issues
- Parse Server email verification resend page leaks user existence - CVE-2026-33323
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- Parse Server has an MFA single-use token bypass via concurrent authData login requests - CVE-2026-34224
- Parse Server has role escalation and CLP bypass via direct `_Join` table write - CVE-2026-30966
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on April 15, 2026