CVE-2026-32248

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.12 and 8.6.38

Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to account takeover. An unauthenticated attacker can compromise user accounts created with authentication providers that do not validate user identifiers, such as those using anonymous authentication. By submitting a specially crafted login request, the attacker can manipulate the server into performing a pattern-matching query instead of an exact-match lookup. This allows the attacker to successfully match an existing user and obtain a valid session token, effectively gaining control of the user's account. Both MongoDB and PostgreSQL database backends are affected. The issue stems from insufficient input validation for authentication data, specifically the user identifier. The fix involves enforcing that the user identifier is a string before use in database queries, rejecting non-string values.

Recommendations Versions prior to 9.6.0-alpha.12 should be updated to 9.6.0-alpha.12 or later. Versions prior to 8.6.38 should be updated to 8.6.38 or later.