anonhaven
Ad

CVE-2026-33409

HIGH CVSS 4.0: 7.0 EPSS 0.04%
Updated Mar 25, 2026
Parseplatform
Parameter Value
CVSS 7.0 (HIGH)
Affected Versions 9.0.0 — 9.6.0
Fixed In 8.6.52
Type CWE-287 (Improper Authentication)
Vendor Parseplatform
Public PoC No

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token.

This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
High
Admin privileges needed
User Interaction
Active
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-287 Improper Authentication

Vulnerable Products 42

Configuration From (including) Up to (excluding)
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
 8.6.52
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
 9.0.0 9.6.0
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*

References 5

https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b…
security-advisories@github.com
https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f6…
security-advisories@github.com
https://github.com/parse-community/parse-server/pull/10246
security-advisories@github.com
https://github.com/parse-community/parse-server/pull/10247
security-advisories@github.com
https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-w…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33627

Parseplatform

7.1

CVE-2026-33624

Parseplatform

2.1

CVE-2026-33539

MongoDB

8.6

CVE-2026-33538

Parseplatform

8.7

CVE-2026-33527

Parseplatform

5.3