DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32248: CVE-2026-32248: Account Takeover via Operator Injection in Parse Server

#security #cve #cybersecurity

CVE-2026-32248: Account Takeover via Operator Injection in Parse Server

Vulnerability ID: CVE-2026-32248
CVSS Score: 9.3
Published: 2026-03-12

Parse Server versions prior to 8.6.38 and 9.6.0-alpha.12 are vulnerable to a critical account takeover vulnerability due to improper input validation in the authentication logic. Unauthenticated remote attackers can bypass authentication and obtain valid session tokens by injecting database operators into the anonymous authentication provider's identifier payload.

TL;DR

Unauthenticated attackers can achieve full account takeover in Parse Server by injecting MongoDB or PostgreSQL query operators into the anonymous authentication identifier, forcing the backend to return a valid session token for existing users.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-943
  • Attack Vector: Network
  • CVSS Score: 9.3
  • Impact: Account Takeover
  • Exploit Status: POC Available
  • CISA KEV: Not Listed

Affected Systems

  • Parse Server deployments using MongoDB
  • Parse Server deployments using PostgreSQL
  • Node.js backend applications importing the parse-server module
  • Parse Server: < 8.6.38 (Fixed in: 8.6.38)
  • Parse Server: >= 9.0.0, < 9.6.0-alpha.12 (Fixed in: 9.6.0-alpha.12)

Code Analysis

Commit: 93425df

fix: Account takeover via operator injection in authentication data identifier

Exploit Details

Mitigation Strategies

  • Upgrade Parse Server to fixed versions 8.6.38 or 9.6.0-alpha.12
  • Disable the anonymous authentication provider via Parse Server configuration if unused
  • Implement Web Application Firewall (WAF) rules to detect and block NoSQL operators in authentication payloads

Remediation Steps:

  1. Identify the currently deployed version of Parse Server
  2. Update the project package.json to require version 8.6.38 or 9.6.0-alpha.12
  3. Rebuild and redeploy the Node.js application
  4. Alternatively, set auth: { anonymous: false } in the ParseServer instantiation options

References

Read the full report for CVE-2026-32248 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)