Primary

Context

Parse Server User Enumeration Vulnerability via Email Verification Endpoint

Vulnerability

Patched

A user enumeration vulnerability has been identified in Parse Server versions prior to 8.6.34 and 9.6.0-alpha.8. The issue arises in the email verification endpoint, which returns different error responses based on the status of the email address. This allows an attacker to send requests with various email addresses and, by observing the error codes, determine which addresses are registered in the application. This vulnerability affects any Parse Server deployment with email verification enabled.

Impact

Exploitation of this vulnerability allows for user enumeration, where an attacker can identify registered email addresses based on the application's response to verification requests.

Remediation

Users can upgrade to Parse Server version 8.6.34 or 9.6.0-alpha.8 to address this vulnerability. Instructions for downloading these versions are available on the Parse Server GitHub Releases page.

Added: Mar 11, 2026, 8:28 PM

Updated: Mar 11, 2026, 8:28 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

6.8

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

6.8

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server User Enumeration Vulnerability via Email Verification Endpoint

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating