CVE-2026-33538: Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

March 24, 2026

An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.

References

github.com/advisories/GHSA-g4cf-xj29-wqqr
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10270
github.com/parse-community/parse-server/pull/10271
github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
nvd.nist.gov/vuln/detail/CVE-2026-33538

Code Behaviors & Features

Detect and mitigate CVE-2026-33538 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →