Plattform
nodejs
Komponente
parse-server
Behoben in
9.0.1
8.6.50
9.6.0-alpha.29
CVE-2026-33042 is a medium-severity vulnerability affecting Parse Server. It allows attackers to create authenticated user sessions without providing valid credentials by exploiting a flaw in the user registration process. This bypass occurs when an empty authData object is sent during signup, effectively circumventing the username and password validation. The vulnerability impacts versions prior to 9.6.0-alpha.29, and a patch has been released.
The primary impact of CVE-2026-33042 is the ability for an attacker to create authenticated user accounts without providing a username or password. This can lead to unauthorized access to data and resources within the Parse Server application. An attacker could potentially impersonate legitimate users, modify data, or execute malicious code if the application has vulnerabilities that rely on user authentication. The lack of credential enforcement significantly reduces the security posture of the application, allowing for easy account creation and potential compromise. This vulnerability is particularly concerning in environments where user authentication is critical for data protection and access control.
CVE-2026-33042 was publicly disclosed on March 17, 2026. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's simplicity suggests it could be easily exploited. The EPSS score is likely to be assessed as low to medium, given the lack of public exploitation and the availability of a straightforward mitigation.
Applications relying on Parse Server for user authentication are at risk, particularly those that have disabled anonymous user signups. Legacy Parse Server deployments running older, unpatched versions are especially vulnerable. Shared hosting environments where Parse Server instances are managed by a third party should also be assessed.
• nodejs / server:
# Check for Parse Server version
ps aux | grep parse-server | grep -oP '(?<=parse-server)[0-9.]+'• nodejs / server:
# Review Cloud Code 'beforeSave' triggers for user validation logic
# Examine the Parse Server deployment for any custom authentication mechanismsdisclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-33042 is to upgrade Parse Server to version 9.6.0-alpha.29 or later. This version includes a fix that ensures empty or non-actionable authData is treated the same as absent authData for credential validation. As a temporary workaround, implement a Cloud Code beforeSave trigger on the _User class to enforce username and password requirements. This trigger can validate the presence of both fields before allowing user creation. After upgrading, confirm the fix by attempting to create a new user with an empty authData object; the registration should fail.
Aktualisieren Sie Parse Server auf Version 9.6.0-alpha.29 oder höher oder auf Version 8.6.49 oder höher. Dies behebt die Schwachstelle, die die Erstellung von Benutzern ohne gültige Anmeldeinformationen ermöglicht. Alternativ implementieren Sie einen `beforeSave`-Trigger in Cloud Code für die Klasse `_User`, der Registrierungen ablehnt, bei denen `authData` leer ist und kein Benutzername oder Passwort angegeben wurde.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33042 is a vulnerability in Parse Server that allows attackers to create user accounts without providing a username or password by sending an empty authData object.
You are affected if you are running Parse Server versions prior to 9.6.0-alpha.29 and have not implemented a workaround.
Upgrade to Parse Server version 9.6.0-alpha.29 or later. Alternatively, implement a Cloud Code 'beforeSave' trigger to enforce username and password requirements.
There is currently no indication of active exploitation, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the Parse Server documentation and release notes for details on this vulnerability and the corresponding fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.