CVE-2026-31901

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.34 Parse Server versions prior to 9.6.0-alpha.8

Description Parse Server, an open source backend deployable on Node.js infrastructures, is affected by a user enumeration issue. The /verificationEmailRequest API endpoint returns different error responses based on whether an email address is registered, already verified, or non-existent. An attacker can send requests with various email addresses and analyze the error codes to determine which email addresses are associated with existing user accounts. This issue impacts any Parse Server deployment where email verification is enabled (verifyUserEmails: true). A fix introduces the emailVerifySuccessOnInvalidEmail option, which, when enabled, returns a generic success response for all verification email requests, preventing differentiation between valid, verified, and non-existent email addresses. The fix also includes strengthened input validation for the resetPasswordSuccessOnInvalidEmail option and security checks to warn when enumeration mitigation is disabled.

Recommendations Parse Server versions prior to 8.6.34: Upgrade to version 8.6.34 or later. Parse Server versions prior to 9.6.0-alpha.8: Upgrade to version 9.6.0-alpha.8 or later.