CVE-2026-33498: Parse Server has a query condition depth bypass via pre-validation transform pipeline

March 20, 2026

An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.

References

github.com/advisories/GHSA-9fjp-q3c4-6w3j
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10257
github.com/parse-community/parse-server/pull/10258
github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j
nvd.nist.gov/vuln/detail/CVE-2026-33498

Code Behaviors & Features

Detect and mitigate CVE-2026-33498 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →