CVE-2026-32248: Parse Server: Account takeover via operator injection in authentication data identifier
(updated )
An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user’s account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable.
References
- github.com/advisories/GHSA-5fw2-8jcv-xh87
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.38
- github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12
- github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87
- nvd.nist.gov/vuln/detail/CVE-2026-32248
Code Behaviors & Features
Detect and mitigate CVE-2026-32248 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →