CVE-2026-33323

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.51 Parse Server versions prior to 9.6.0-alpha.40

Description Parse Server contains a flaw where the Pages route and legacy PublicAPI route for resending email verification links reveal different responses based on whether a username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing redirect targets. The emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route, did not apply to these routes. The issue is addressed by ensuring these routes respect the emailVerifySuccessOnInvalidEmail option, redirecting to the success page regardless of the outcome when the option is set to true.

Recommendations Upgrade to Parse Server version 8.6.51 or later. Upgrade to Parse Server version 9.6.0-alpha.40 or later.