Primary

Context

Parse Server LDAP Injection Vulnerability Allowing Privilege Escalation

Vulnerability

Patched

A vulnerability exists in the LDAP authentication adapter of Parse Server, affecting versions 9.0.0 prior to 9.5.2-alpha.13 and 8.6.26 prior to 8.6.26. This vulnerability allows for LDAP injection, as user-supplied input is directly inserted into LDAP Distinguished Names (DN) and group search filters without proper escaping. An attacker with valid LDAP credentials could exploit this to manipulate the bind DN structure, bypass group membership checks, and escalate privileges from any authenticated LDAP user to a member of a restricted group.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing an authenticated LDAP user to gain access to restricted group resources or permissions.

Remediation

Users can upgrade to Parse Server versions 9.5.2-alpha.13 or 8.6.26 to address this vulnerability.

Added: Mar 10, 2026, 10:21 PM

Updated: Mar 10, 2026, 10:21 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

5.4

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

5.4

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server LDAP Injection Vulnerability Allowing Privilege Escalation

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating