CVE-2026-33042

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.29 Parse Server versions prior to 8.6.49

Description Parse Server is an open source backend deployable on Node.js infrastructures. A user can create an account without providing credentials by submitting an empty authData object, circumventing the username and password requirement. This allows the creation of authenticated sessions without valid credentials, even when anonymous users are disabled. The issue arises because empty or non-actionable authData was not treated the same as absent authData during credential validation for new user creation. The User class is involved in this process.

Recommendations Versions prior to 9.6.0-alpha.29 should be updated. Versions prior to 8.6.49 should be updated. As a workaround, implement a Cloud Code beforeSave trigger on the User class to reject signups where authData is empty and no username/password is provided.