CVE-2026-33409

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.52 Parse Server versions prior to 9.6.0-alpha.41

Description A flaw exists in Parse Server that allows an attacker to bypass authentication and log in as any user who has linked a third-party authentication provider. The attacker requires only the user's provider ID to gain full access to the account, including a valid session token. This issue impacts deployments where the allowExpiredAuthDataToken server option is set to true. The vulnerable component is the authentication process, specifically when handling third-party authentication providers.

Recommendations Update Parse Server to version 8.6.52 or later. Update Parse Server to version 9.6.0-alpha.41 or later. Set the allowExpiredAuthDataToken server option to false. Remove the allowExpiredAuthDataToken option from the server configuration.