Platform
nodejs
Component
parse-server
Fixed in
8.6.53
9.0.1
9.6.0-alpha.41
CVE-2026-33409 is a critical authentication bypass vulnerability affecting Parse Server. An attacker can exploit this flaw to log in as any user who has linked a third-party authentication provider, effectively gaining complete control over their account. This vulnerability specifically impacts Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. Upgrade to version 9.6.0-alpha.41 or later to remediate this issue.
The impact of CVE-2026-33409 is severe. Successful exploitation allows an attacker to impersonate any user with a linked third-party authentication provider. This grants them full access to the user's data, including sensitive information stored within Parse Server. The attacker can perform actions on behalf of the compromised user, potentially leading to data breaches, unauthorized modifications, and further lateral movement within the affected system. The requirement for the attacker to only know the user's provider ID significantly lowers the barrier to entry, making this vulnerability particularly concerning.
CVE-2026-33409 was publicly disclosed on March 19, 2026. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation makes it a potential target for malicious actors. The vulnerability's criticality and the relatively simple attack vector suggest a medium probability of exploitation. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33409 is to upgrade Parse Server to version 9.6.0-alpha.41 or later. This version includes a fix that validates all authentication providers during login, regardless of the allowExpiredAuthDataToken setting. If upgrading is not immediately feasible, disabling the allowExpiredAuthDataToken server option can reduce the risk, although it may impact legitimate users who rely on expired tokens. Monitor Parse Server logs for suspicious login attempts, particularly those involving unusual provider IDs. After upgrading, confirm the fix by attempting a login with a third-party provider and verifying that the authentication process is properly validated.
Actualice Parse Server a la versión 8.6.52 o superior, o a la versión 9.6.0-alpha.41 o superior. Si no puede actualizar inmediatamente, asegúrese de que la opción del servidor `allowExpiredAuthDataToken` esté configurada en `false` (este es el valor predeterminado).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33409 is a critical vulnerability in Parse Server allowing attackers to log in as users with linked third-party authentication providers without their credentials.
You are affected if you are using Parse Server versions prior to 9.6.0-alpha.41 and have the allowExpiredAuthDataToken server option set to true.
Upgrade Parse Server to version 9.6.0-alpha.41 or later. Alternatively, disable the allowExpiredAuthDataToken option if upgrading is not immediately possible.
While no public exploit is currently available, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the official Parse Server documentation and security advisories for the most up-to-date information: [https://parse.com/docs/security](https://parse.com/docs/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.