CVE-2026-33409
high-risk
Published 2026-03-24
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.
Do I need to act?
-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (5)
Issue Tracking
https://github.com/parse-community/parse-server/pull/10246
Issue Tracking
https://github.com/parse-community/parse-server/pull/10247
55
/ 100
high-risk
Severity
31/34 · Critical
Exploitability
0/34 · Minimal
Exposure
24/34 · High