CVE-2026-33538
published 2026-03-24CVE-2026-33538: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.41%
32.4th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.58 | 8.6.58 |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 0 < 8.6.58 | 8.6.58 |
| parse-community | parse-server | >= 9.0.0 < 9.6.0-alpha.52 | 9.6.0-alpha.52 |
| parseplatform | parse-server | < 8.6.58 | 8.6.58 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | >= 9.0.0 < 9.6.0 | 9.6.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
osv·2026-03-24
CVE-2026-33538 [HIGH] Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
### Impact
An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.
### Patches
The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.
### Workarounds
There is no known workaround other than upg
GHSA
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
ghsa·2026-03-24
CVE-2026-33538 [HIGH] CWE-400 Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
### Impact
An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.
### Patches
The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.
### Workarounds
There is no known workaround other than upg
No detection rules found.
No public exploits indexed.
https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54https://github.com/parse-community/parse-server/pull/10270https://github.com/parse-community/parse-server/pull/10271https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
2026-03-24
Published