Parse Server is an open-source backend framework that allows developers to build applications with a robust server-side infrastructure. It provides features such as data storage, user authentication, and real-time notifications. 

Impact of the Vulnerability

Versions 9.0.0 to 9.6.0-alpha.40 and all versions below 8.6.52 are affected by this vulnerability.

The impact in these scenario where authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user’s credentials. The attacker only needs to know the user’s provider ID to gain full access to their account, including a valid session token.

This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false.

The authentication bypass vulnerability in Parse Server poses a significant risk to user accounts linked to third-party authentication providers. It is crucial to update to the patched versions or implement the recommended workaround to mitigate this risk.

Authentication is one of those things every product needs, but few teams want to spend time rebuilding from scratch. In today’s digital landscape, the security and reliability of user authentication methods play a crucial role in safeguarding sensitive information and ensuring a seamless user experience.

Analytics:

• Attack Vector: Remote, Unauthenticated
• Exploit Complexity: Low
• User Interaction: None
• Affected Components: Signup Controller, AuthData Validator

How the Parse Serve Vulnerability work as exploit?

• An attacker sends a POST request to the `/classes/_User` (or /users) endpoint.
• The request body contains an empty JSON object for the `authData` field.
• The Parse Server, failing to validate that `authData` is actionable, processes the signup request as if it came from a valid third-party provider.
• The server creates a new user session and returns a session token to the attacker, granting them authenticated access to the backend.

Patching:

1. Immediate Patch: Upgrade Parse Server to version `8.6.49` or `9.6.0-alpha.29` (or later) immediately.
2. Cloud Code Workaround: If an immediate upgrade isn’t possible, implement a `beforeSave` trigger for the `_User` class to block signups with empty authData.Parse.Cloud.beforeSave(Parse.User, (request) => {const authData = request.object.get(‘authData’);const hasUsername = request.object.get(‘username’);const hasPassword = request.object.get(‘password’);// If authData is an empty object and no username/password, block the signupif (authData && typeof authData === ‘object’ && Object.keys(authData).length === 0) {if (!hasUsername || !hasPassword) {throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, ‘Signup requires credentials.’);}}});

Conclusion:

Successful exploitation allows an unauthenticated, remote attacker to create a valid user session on the Parse Server. This leads to unauthorized access to the application’s backend, potentially allowing the attacker to view, create, modify, or delete data that the newly created user has permissions for, compromising the confidentiality and integrity of the application.

Source: Parse Server has an auth provider validation bypass on login via partial authData · CVE-2026-33409 · GitHub Advisory Database · GitHub

Parse Server, Authentication Bypass, CVE-2025- (Moderate) – DailyCVE