CVE-2026-31901

EUVD-2026-11317

11.03.2026, 20:16

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
parseplatform	parse-server	𝑥 < 8.6.34
parseplatform	parse-server	9.0.0 ≤ 𝑥 < 9.6.0
parseplatform	parse-server	9.6.0:alpha1
parseplatform	parse-server	9.6.0:alpha2
parseplatform	parse-server	9.6.0:alpha3
parseplatform	parse-server	9.6.0:alpha4
parseplatform	parse-server	9.6.0:alpha5
parseplatform	parse-server	9.6.0:alpha6
parseplatform	parse-server	9.6.0:alpha7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-204 - Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References

https://github.com/parse-community/parse-server/releases/tag/8.6.34

https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8

https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856