CVE 8.7 HIGH

Parse Server: Denial of service via unindexed database query for unconfigured auth providers_CVE-2026-33538

April 12, 2026 invoker category_cve
8.7 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.

Basic Information

ID CVE-2026-33538
Source GitHub_M
Published Mar 24, 2026 at 18:24
Modified Mar 24, 2026 at 18:37

Affected Product

Vendor parse-community
Product parse-server
Version < 8.6.58
Affected Versions parse-community parse-server < 8.6.58
parse-community parse-server >= 9.0.0, < 9.6.0-alpha.52

CWE Classification

CWE-400

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.