CVE-2026-31828

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.13 Parse Server versions prior to 8.6.26

Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its LDAP authentication adapter. The issue stems from the direct interpolation of user-supplied input (authData.id) into LDAP Distinguished Names (DN) and group search filters without proper escaping of special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and bypass group membership checks, potentially leading to privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability impacts Parse Server deployments utilizing the LDAP authentication adapter with group-based access control.

Recommendations Update to Parse Server version 9.5.2-alpha.13 or later. Update to Parse Server version 8.6.26 or later.