{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T19:26:01.708","vulnerabilities":[{"cve":{"id":"CVE-2026-31828","sourceIdentifier":"security-advisories@github.com","published":"2026-03-10T22:16:20.783","lastModified":"2026-03-11T14:28:08.187","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26."},{"lang":"es","value":"Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Anteriormente a 9.5.2-alpha.13 y 8.6.26, el adaptador de autenticación LDAP es vulnerable a la inyección LDAP. La entrada proporcionada por el usuario (authData.id) se interpola directamente en los Nombres Distinguidos LDAP (DN) y en los filtros de búsqueda de grupo sin escapar caracteres especiales. Esto permite a un atacante con credenciales LDAP válidas manipular la estructura del DN de enlace y eludir las comprobaciones de membresía de grupo. Esto posibilita la escalada de privilegios desde cualquier usuario LDAP autenticado a un miembro de cualquier grupo restringido. La vulnerabilidad afecta a los despliegues de Parse Server que utilizan el adaptador de autenticación LDAP con control de acceso basado en grupos. Esta vulnerabilidad está corregida en 9.5.2-alpha.13 y 8.6.26."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-90"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionEndExcluding":"8.6.26","matchCriteriaId":"F3920902-9365-4C17-BB8F-674A28AE52D9"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.5.2","matchCriteriaId":"E66572ED-597B-4D8E-A636-733D463A4E4D"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*","matchCriteriaId":"E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*","matchCriteriaId":"79CCA374-1498-4651-9FF9-F0B73D76CEB9"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*","matchCriteriaId":"2EEA21BC-9699-4625-9319-5C687219C716"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha12:*:*:*:node.js:*:*","matchCriteriaId":"D79432DC-A58A-4858-BBA1-2BEECBEBF6E1"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*","matchCriteriaId":"6521B8A9-6116-4CAE-9B5E-F22C204B1F0C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*","matchCriteriaId":"601B2CF1-D29A-42CC-8405-185C1A8E1EB2"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*","matchCriteriaId":"BC9F2B9D-026F-454B-B565-05AA441FA54F"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*","matchCriteriaId":"FDDB20F1-F6A7-4B1E-B075-CC250613D826"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*","matchCriteriaId":"CA14D0B7-B952-4C4E-B271-3EBB51C03E9C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*","matchCriteriaId":"19B7C5A9-B59A-4A47-B4F0-13C7C796B496"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*","matchCriteriaId":"0E619B8B-BC91-4F71-B84D-52E563AB8E03"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*","matchCriteriaId":"6C9DB980-4201-43D3-B019-2A6B325B896E"}]}]}],"references":[{"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.26","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c","source":"security-advisories@github.com","tags":["Vendor Advisory","Patch"]}]}}]}