CVE-2026-33323

EUVD-2026-14189

24.03.2026, 19:16

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
parseplatform	parse-server	𝑥 < 8.6.51
parseplatform	parse-server	9.0.0 ≤ 𝑥 < 9.6.0
parseplatform	parse-server	9.6.0:alpha1
parseplatform	parse-server	9.6.0:alpha10
parseplatform	parse-server	9.6.0:alpha11
parseplatform	parse-server	9.6.0:alpha12
parseplatform	parse-server	9.6.0:alpha13
parseplatform	parse-server	9.6.0:alpha14
parseplatform	parse-server	9.6.0:alpha15
parseplatform	parse-server	9.6.0:alpha16
parseplatform	parse-server	9.6.0:alpha17
parseplatform	parse-server	9.6.0:alpha18
parseplatform	parse-server	9.6.0:alpha19
parseplatform	parse-server	9.6.0:alpha2
parseplatform	parse-server	9.6.0:alpha20
parseplatform	parse-server	9.6.0:alpha21
parseplatform	parse-server	9.6.0:alpha22
parseplatform	parse-server	9.6.0:alpha23
parseplatform	parse-server	9.6.0:alpha24
parseplatform	parse-server	9.6.0:alpha25
parseplatform	parse-server	9.6.0:alpha26
parseplatform	parse-server	9.6.0:alpha27
parseplatform	parse-server	9.6.0:alpha28
parseplatform	parse-server	9.6.0:alpha29
parseplatform	parse-server	9.6.0:alpha3
parseplatform	parse-server	9.6.0:alpha30
parseplatform	parse-server	9.6.0:alpha31
parseplatform	parse-server	9.6.0:alpha32
parseplatform	parse-server	9.6.0:alpha33
parseplatform	parse-server	9.6.0:alpha34
parseplatform	parse-server	9.6.0:alpha35
parseplatform	parse-server	9.6.0:alpha36
parseplatform	parse-server	9.6.0:alpha37
parseplatform	parse-server	9.6.0:alpha38
parseplatform	parse-server	9.6.0:alpha39
parseplatform	parse-server	9.6.0:alpha4
parseplatform	parse-server	9.6.0:alpha5
parseplatform	parse-server	9.6.0:alpha6
parseplatform	parse-server	9.6.0:alpha7
parseplatform	parse-server	9.6.0:alpha8
parseplatform	parse-server	9.6.0:alpha9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-204 - Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References

https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5

https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3

https://github.com/parse-community/parse-server/pull/10238

https://github.com/parse-community/parse-server/pull/10243

https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f