PT-2026-26493 · Unknown · Parse Server

Restriction

Published

2026-03-19

Updated

2026-03-27

CVE-2026-33409

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.52 Parse Server versions prior to 9.6.0-alpha.41

Description A flaw exists in Parse Server that allows an attacker to bypass authentication and log in as any user who has linked a third-party authentication provider. The attacker requires only the user's provider ID to gain full access to the account, including a valid session token. This issue impacts deployments where the allowExpiredAuthDataToken server option is set to true. The vulnerable component is the authentication process, specifically when handling third-party authentication providers.

Recommendations Update Parse Server to version 8.6.52 or later. Update Parse Server to version 9.6.0-alpha.41 or later. Set the allowExpiredAuthDataToken server option to false. Remove the allowExpiredAuthDataToken option from the server configuration.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

BIT-PARSE-2026-33409

CVE-2026-33409

GHSA-PFJ7-WV7C-22PR

Affected Products

Parse Server

PT-2026-26493 · Unknown · Parse Server

CVE-2026-33409

Weakness Enumeration

Related Identifiers

Affected Products

References · 12