FKIE_CVE-2026-31828

Vulnerability from fkie_nvd - Published: 2026-03-10 22:16 - Updated: 2026-03-11 14:28
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.
References
security-advisories@github.comhttps://github.com/parse-community/parse-server/releases/tag/8.6.26Product, Release Notes
security-advisories@github.comhttps://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13Product, Release Notes
security-advisories@github.comhttps://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47cVendor Advisory, Patch
Impacted products
Vendor Product Version
parseplatform parse-server *
parseplatform parse-server *
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "F3920902-9365-4C17-BB8F-674A28AE52D9",
              "versionEndExcluding": "8.6.26",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "E66572ED-597B-4D8E-A636-733D463A4E4D",
              "versionEndExcluding": "9.5.2",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*",
              "matchCriteriaId": "E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*",
              "matchCriteriaId": "79CCA374-1498-4651-9FF9-F0B73D76CEB9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*",
              "matchCriteriaId": "2EEA21BC-9699-4625-9319-5C687219C716",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha12:*:*:*:node.js:*:*",
              "matchCriteriaId": "D79432DC-A58A-4858-BBA1-2BEECBEBF6E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*",
              "matchCriteriaId": "6521B8A9-6116-4CAE-9B5E-F22C204B1F0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*",
              "matchCriteriaId": "601B2CF1-D29A-42CC-8405-185C1A8E1EB2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*",
              "matchCriteriaId": "BC9F2B9D-026F-454B-B565-05AA441FA54F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*",
              "matchCriteriaId": "FDDB20F1-F6A7-4B1E-B075-CC250613D826",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*",
              "matchCriteriaId": "CA14D0B7-B952-4C4E-B271-3EBB51C03E9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*",
              "matchCriteriaId": "19B7C5A9-B59A-4A47-B4F0-13C7C796B496",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*",
              "matchCriteriaId": "0E619B8B-BC91-4F71-B84D-52E563AB8E03",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*",
              "matchCriteriaId": "6C9DB980-4201-43D3-B019-2A6B325B896E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26."
    },
    {
      "lang": "es",
      "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Anteriormente a 9.5.2-alpha.13 y 8.6.26, el adaptador de autenticaci\u00f3n LDAP es vulnerable a la inyecci\u00f3n LDAP. La entrada proporcionada por el usuario (authData.id) se interpola directamente en los Nombres Distinguidos LDAP (DN) y en los filtros de b\u00fasqueda de grupo sin escapar caracteres especiales. Esto permite a un atacante con credenciales LDAP v\u00e1lidas manipular la estructura del DN de enlace y eludir las comprobaciones de membres\u00eda de grupo. Esto posibilita la escalada de privilegios desde cualquier usuario LDAP autenticado a un miembro de cualquier grupo restringido. La vulnerabilidad afecta a los despliegues de Parse Server que utilizan el adaptador de autenticaci\u00f3n LDAP con control de acceso basado en grupos. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.13 y 8.6.26."
    }
  ],
  "id": "CVE-2026-31828",
  "lastModified": "2026-03-11T14:28:08.187",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.0,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T22:16:20.783",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Patch"
      ],
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-90"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.