FKIE_CVE-2026-33538
Vulnerability from fkie_nvd - Published: 2026-03-24 19:16 - Updated: 2026-03-25 21:18
Severity
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "4037DE7F-EB18-4D37-80E1-3FEF4A77D096",
"versionEndExcluding": "8.6.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A",
"versionEndExcluding": "9.6.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*",
"matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*",
"matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*",
"matchCriteriaId": "808B6482-BF8E-407D-8462-E757657CC323",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*",
"matchCriteriaId": "B84C28F8-AADE-41BB-A0EF-B701AB57DC3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*",
"matchCriteriaId": "7567BB81-7837-4265-B792-6A9B73CECF93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*",
"matchCriteriaId": "0035C6F1-21B9-42D1-BE29-690905F3558C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*",
"matchCriteriaId": "623FB30A-0693-4449-80FA-16D36B1BE66C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*",
"matchCriteriaId": "9B420167-CD3E-45A7-AD9A-0F83AEC634BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*",
"matchCriteriaId": "030A8626-DBBD-4BF2-B362-79B44FB1204D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*",
"matchCriteriaId": "D38CFCC3-2AA9-4C8E-9064-FE97E6E8C45C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*",
"matchCriteriaId": "65BB78F2-3A1A-4CD1-B8A8-4AB043B5CA50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*",
"matchCriteriaId": "EDC98AF7-8620-4A25-9BE5-623672599677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*",
"matchCriteriaId": "23E28E0F-9379-4628-B9DC-8C94A45902CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*",
"matchCriteriaId": "6631BE51-74FB-40C0-9E91-0EDF2DCADD7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*",
"matchCriteriaId": "8B0E4254-14A3-4EB6-9E98-CF45EB08B17F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*",
"matchCriteriaId": "0FF63FDE-75F5-44B6-A958-CF653D84D3B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*",
"matchCriteriaId": "252B812D-A162-41C1-91CD-08D0CBAC5C46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*",
"matchCriteriaId": "421691EA-F55A-4738-8ABD-74B53B6DF155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*",
"matchCriteriaId": "5E7FAB59-142E-4191-9A6F-0744D810CD81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*",
"matchCriteriaId": "B010F310-05A1-48AE-B002-8F4C7FA62EB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*",
"matchCriteriaId": "4D3B2C32-16D8-415B-A49F-060ECE8F0F33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*",
"matchCriteriaId": "43BE83C2-C756-4A5A-A340-B7D1FB52078D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*",
"matchCriteriaId": "DF340605-8CC8-4543-9F5D-E8602D258CED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*",
"matchCriteriaId": "702EBB22-3E9F-4CBE-B855-2E3642C530B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*",
"matchCriteriaId": "7C17AD66-684F-4662-AF16-838FF05F47D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*",
"matchCriteriaId": "13C25963-CAE7-49AA-A941-254DCE289E35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*",
"matchCriteriaId": "B6BF0C2F-DD2B-4864-961F-CA808EF22633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*",
"matchCriteriaId": "8FBB21E9-CB73-4CB1-841A-D1C08167DB51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35:*:*:*:node.js:*:*",
"matchCriteriaId": "4CD55F0B-D854-43D4-A0F5-F83386DB24C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36:*:*:*:node.js:*:*",
"matchCriteriaId": "1097E8DF-3D0E-47C6-882D-E37B22119538",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37:*:*:*:node.js:*:*",
"matchCriteriaId": "8C60F121-1C0B-4EB5-87EF-F1BED070C13B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38:*:*:*:node.js:*:*",
"matchCriteriaId": "04D8514D-CC66-4E6B-90C8-6108F0DAA661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39:*:*:*:node.js:*:*",
"matchCriteriaId": "4BB65A73-7BB7-42E4-97A3-4D6305172E05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*",
"matchCriteriaId": "A052DFCA-EDCC-43D7-82C7-E5311F6F7687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40:*:*:*:node.js:*:*",
"matchCriteriaId": "192A78FB-E141-4F14-8C4A-20A4118B01C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41:*:*:*:node.js:*:*",
"matchCriteriaId": "CA4FEA42-4240-42B1-A5C2-6F74CBBACB92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42:*:*:*:node.js:*:*",
"matchCriteriaId": "7192B894-2616-4852-850B-39CF6FCAC4F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha43:*:*:*:node.js:*:*",
"matchCriteriaId": "3323535E-C323-4FD9-81E9-8F7A045EDD59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha44:*:*:*:node.js:*:*",
"matchCriteriaId": "20A0CF2D-C8C0-4972-8F2B-02B67C171CA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha45:*:*:*:node.js:*:*",
"matchCriteriaId": "EDC9ECE2-303E-429F-8E1B-EC6C6C575642",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha46:*:*:*:node.js:*:*",
"matchCriteriaId": "A8914A97-5BCA-44ED-8767-1C4B5029CA2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha47:*:*:*:node.js:*:*",
"matchCriteriaId": "D1BA3306-9F5B-4F9D-B472-D04E9018667E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha48:*:*:*:node.js:*:*",
"matchCriteriaId": "3CE968D2-0024-45CD-B458-06D13F598875",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha49:*:*:*:node.js:*:*",
"matchCriteriaId": "7FF06066-8433-46B4-A935-66FC2EFA4F2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*",
"matchCriteriaId": "12B11714-B961-4330-B241-FC5AF94FDBE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha50:*:*:*:node.js:*:*",
"matchCriteriaId": "47A519A3-6E15-4758-871A-CA5CB2ECBD75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha51:*:*:*:node.js:*:*",
"matchCriteriaId": "85FEA7B3-1B31-45C7-89B4-2502DA305BAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*",
"matchCriteriaId": "37A7C42B-4986-4BB6-BB27-0324A9AA1CFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*",
"matchCriteriaId": "C793834B-64B4-4DE9-BD7D-79B52C30C34E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*",
"matchCriteriaId": "7AD455C8-88BE-4A0A-B33D-3A7811FFB753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*",
"matchCriteriaId": "26C475A2-997C-4C3A-8CB6-04AB3534BBC3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52."
},
{
"lang": "es",
"value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.58 y 9.6.0-alpha.52, un atacante no autenticado puede causar denegaci\u00f3n de servicio enviando solicitudes de autenticaci\u00f3n con nombres de proveedor arbitrarios y no configurados. El servidor ejecuta una consulta de base de datos para cada proveedor no configurado antes de rechazar la solicitud, y dado que no existe un \u00edndice de base de datos para proveedores no configurados, cada solicitud desencadena un escaneo completo de la colecci\u00f3n en la base de datos de usuarios. Esto puede ser paralelizado para saturar los recursos de la base de datos. Este problema ha sido parcheado en las versiones 8.6.58 y 9.6.0-alpha.52."
}
],
"id": "CVE-2026-33538",
"lastModified": "2026-03-25T21:18:30.753",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-24T19:16:54.673",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/parse-community/parse-server/pull/10270"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/parse-community/parse-server/pull/10271"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…