Auth bypass in Parse-community Parse-server

CVE-2026-33409

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has li…

Vulnerability class: Broken Authentication

EPSS: 0.000 (8.5th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.52, >= 9.0.0, < 9.6.0-alpha.41

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10246 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10247 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d (x_refsource_MISC)