CVE-2026-33042: Parse Server affected by empty authData bypassing credential requirement on signup

March 17, 2026

A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled.

References

github.com/advisories/GHSA-wjqw-r9x4-j59v
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10219
github.com/parse-community/parse-server/pull/10220
github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
nvd.nist.gov/vuln/detail/CVE-2026-33042

Code Behaviors & Features

Detect and mitigate CVE-2026-33042 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →