Missing Authentication for Critical Function in parse-server | CVE-2026-33409

Q: How to fix?

Upgrade parse-server to version 8.6.52, 9.6.0-alpha.41 or higher.

Introduced: 19 Mar 2026

NewCVE-2026-33409 (opens in a new tab) CWE-306 (opens in a new tab)

How to fix?

Upgrade parse-server to version 8.6.52, 9.6.0-alpha.41 or higher.

Overview

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the improper validation of third-party auth provider's credentials. An attacker can gain unauthorized access to user accounts by providing only the user's provider ID, bypassing credential verification. This is only exploitable if the server option allowExpiredAuthDataToken is set to true.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Missing Authentication for Critical Function Affecting parse-server package, versions <8.6.52>=9.0.0-alpha.1 <9.6.0-alpha.41

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 19 Mar 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk