CVE-2026-31901: Parse Server vulnerable to user enumeration via email verification endpoint
The email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application.
This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true).
References
- github.com/advisories/GHSA-w54v-hf9p-8856
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.34
- github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8
- github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856
- nvd.nist.gov/vuln/detail/CVE-2026-31901
Code Behaviors & Features
Detect and mitigate CVE-2026-31901 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →