Parse Server vulnerable to user enumeration via email verification endpoint
- Severity:
- Medium
Description
The email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.34 >= 9.0.0-alpha.1, < 9.6.0-alpha.8** Patched version(s): **8.6.34 9.6.0-alpha.8**
References
Related Issues
- Parse Server email verification resend page leaks user existence - CVE-2026-33323
- Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 11, 2026