Parse Server has an auth provider validation bypass on login via partial authData

Description

An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user’s credentials. The attacker only needs to know the user’s provider ID to gain full access to their account, including a valid session token.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.52

  >= 9.0.0, < 9.6.0-alpha.41**

• Patched version(s): **8.6.52

  9.6.0-alpha.41**

References

• GHSA-pfj7-wv7c-22pr
• CVE-2026-33409
• CWE-287
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
• Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
• Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872
• Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause - CVE-2026-32098

Tags:

npm

parse-server