CVE-2026-39321: Parse Server has a login timing side-channel reveals user existence

April 8, 2026 (updated April 15, 2026)

The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames.

References

github.com/advisories/GHSA-mmpq-5hcv-hf2v
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10398
github.com/parse-community/parse-server/pull/10399
github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v
nvd.nist.gov/vuln/detail/CVE-2026-39321

Code Behaviors & Features

Detect and mitigate CVE-2026-39321 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →