Plattform
nodejs
Komponente
parse-server
Behoben in
8.6.53
9.0.1
9.6.0-alpha.41
CVE-2026-33409 is a critical authentication bypass vulnerability affecting Parse Server. An attacker can exploit this flaw to log in as any user who has linked a third-party authentication provider, effectively gaining complete control over their account. This vulnerability specifically impacts Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. Upgrade to version 9.6.0-alpha.41 or later to remediate this issue.
The impact of CVE-2026-33409 is severe. Successful exploitation allows an attacker to impersonate any user with a linked third-party authentication provider. This grants them full access to the user's data, including sensitive information stored within Parse Server. The attacker can perform actions on behalf of the compromised user, potentially leading to data breaches, unauthorized modifications, and further lateral movement within the affected system. The requirement for the attacker to only know the user's provider ID significantly lowers the barrier to entry, making this vulnerability particularly concerning.
CVE-2026-33409 was publicly disclosed on March 19, 2026. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation makes it a potential target for malicious actors. The vulnerability's criticality and the relatively simple attack vector suggest a medium probability of exploitation. It is not currently listed on CISA KEV.
Parse Server deployments utilizing third-party authentication providers and specifically configured with allowExpiredAuthDataToken set to true are at significant risk. This includes applications relying on Parse Server for backend services and those with legacy configurations that haven't been updated to the latest security standards.
• nodejs / server:
grep -r 'allowExpiredAuthDataToken: true' /opt/parse-server/config.js• nodejs / server:
ps aux | grep -i parse-server | grep 'allowExpiredAuthDataToken=true'• generic web: Review Parse Server access logs for unusual login patterns or attempts using unexpected provider IDs.
disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33409 is to upgrade Parse Server to version 9.6.0-alpha.41 or later. This version includes a fix that validates all authentication providers during login, regardless of the allowExpiredAuthDataToken setting. If upgrading is not immediately feasible, disabling the allowExpiredAuthDataToken server option can reduce the risk, although it may impact legitimate users who rely on expired tokens. Monitor Parse Server logs for suspicious login attempts, particularly those involving unusual provider IDs. After upgrading, confirm the fix by attempting a login with a third-party provider and verifying that the authentication process is properly validated.
Actualice Parse Server a la versión 8.6.52 o superior, o a la versión 9.6.0-alpha.41 o superior. Si no puede actualizar inmediatamente, asegúrese de que la opción del servidor `allowExpiredAuthDataToken` esté configurada en `false` (este es el valor predeterminado).
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33409 is a critical vulnerability in Parse Server allowing attackers to log in as users with linked third-party authentication providers without their credentials.
You are affected if you are using Parse Server versions prior to 9.6.0-alpha.41 and have the allowExpiredAuthDataToken server option set to true.
Upgrade Parse Server to version 9.6.0-alpha.41 or later. Alternatively, disable the allowExpiredAuthDataToken option if upgrading is not immediately possible.
While no public exploit is currently available, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the official Parse Server documentation and security advisories for the most up-to-date information: [https://parse.com/docs/security](https://parse.com/docs/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.