CVE-2026-33498: Parse Server has a query condition depth bypass via pre-validation transform pipeline
(updated )
An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.
References
- github.com/advisories/GHSA-9fjp-q3c4-6w3j
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5
- github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1
- github.com/parse-community/parse-server/pull/10257
- github.com/parse-community/parse-server/pull/10258
- github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j
- nvd.nist.gov/vuln/detail/CVE-2026-33498
Code Behaviors & Features
Detect and mitigate CVE-2026-33498 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →