Primary

Context

Parse Server Account Takeover Vulnerability via Authentication Data Injection

Vulnerability

Patched

A vulnerability in Parse Server allows an unauthenticated attacker to take over user accounts created with authentication providers that do not validate user identifier formats, such as anonymous authentication. This issue affects Parse Server versions 9.0.0 prior to 9.6.0-alpha.12 and 8.6.38 prior to 8.6.38, with both MongoDB and PostgreSQL backends vulnerable. The flaw arises because the server can be tricked into performing a pattern-matching query instead of an exact-match lookup, enabling the attacker to obtain a valid session token for an existing user account.

Impact

Exploitation of this vulnerability allows for unauthorized account takeover, granting the attacker access to the victim's user account.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.12 or 8.6.38 to address this vulnerability.

Added: Mar 12, 2026, 8:20 PM

Updated: Mar 12, 2026, 8:20 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.3

exploitability

7.9

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.3

exploitability

7.9

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server Account Takeover Vulnerability via Authentication Data Injection

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating