Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction
- Severity:
- Medium
Description
The LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.26 >= 9.0.0-alpha.1, < 9.5.2-alpha.13** Patched version(s): **8.6.26 9.5.2-alpha.13**
References
Related Issues
- Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
- Parse Server vulnerable to user enumeration via email verification endpoint - CVE-2026-31901
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 11, 2026