PT-2026-25999 · Npm · Parse Server
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-33042
CVSS v4.0
6.9
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Impact
A user can sign up without providing credentials by sending an empty
authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled.Patches
The fix ensures that empty or non-actionable
authData is treated the same as absent authData for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present.Workarounds
Use a Cloud Code
beforeSave trigger on the User class to reject signups where authData is empty and no username/password is provided.Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server