{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-10T15:51:42.117","vulnerabilities":[{"cve":{"id":"CVE-2026-33409","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T19:16:53.287","lastModified":"2026-03-25T21:25:29.410","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41."},{"lang":"es","value":"Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.52 y 9.6.0-alpha.41, una vulnerabilidad de omisión de autenticación permite a un atacante iniciar sesión como cualquier usuario que haya vinculado un proveedor de autenticación de terceros, sin conocer las credenciales del usuario. El atacante solo necesita conocer el ID de proveedor del usuario para obtener acceso completo a su cuenta, incluyendo un token de sesión válido. Esto afecta a las implementaciones de Parse Server donde la opción del servidor allowExpiredAuthDataToken está configurada como true. El valor predeterminado es false. Este problema ha sido parcheado en las versiones 8.6.52 y 9.6.0-alpha.41."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"HIGH","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionEndExcluding":"8.6.52","matchCriteriaId":"3707A6E9-1326-45A4-B189-091E03E4E604"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.6.0","matchCriteriaId":"1BAC01F8-0899-482C-8D91-64671BF2859A"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*","matchCriteriaId":"BBED261F-CA1B-44BC-9C3A-37378590EFEE"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*","matchCriteriaId":"418338C9-6AEC-492C-ACA4-9B3C0AAE149C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*","matchCriteriaId":"808B6482-BF8E-407D-8462-E757657CC323"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*","matchCriteriaId":"B84C28F8-AADE-41BB-A0EF-B701AB57DC3A"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*","matchCriteriaId":"7567BB81-7837-4265-B792-6A9B73CECF93"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*","matchCriteriaId":"0035C6F1-21B9-42D1-BE29-690905F3558C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*","matchCriteriaId":"623FB30A-0693-4449-80FA-16D36B1BE66C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*","matchCriteriaId":"9B420167-CD3E-45A7-AD9A-0F83AEC634BA"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*","matchCriteriaId":"030A8626-DBBD-4BF2-B362-79B44FB1204D"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*","matchCriteriaId":"D38CFCC3-2AA9-4C8E-9064-FE97E6E8C45C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*","matchCriteriaId":"65BB78F2-3A1A-4CD1-B8A8-4AB043B5CA50"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*","matchCriteriaId":"EDC98AF7-8620-4A25-9BE5-623672599677"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*","matchCriteriaId":"23E28E0F-9379-4628-B9DC-8C94A45902CF"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*","matchCriteriaId":"6631BE51-74FB-40C0-9E91-0EDF2DCADD7A"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*","matchCriteriaId":"8B0E4254-14A3-4EB6-9E98-CF45EB08B17F"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*","matchCriteriaId":"0FF63FDE-75F5-44B6-A958-CF653D84D3B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*","matchCriteriaId":"252B812D-A162-41C1-91CD-08D0CBAC5C46"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*","matchCriteriaId":"421691EA-F55A-4738-8ABD-74B53B6DF155"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*","matchCriteriaId":"5E7FAB59-142E-4191-9A6F-0744D810CD81"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*","matchCriteriaId":"B010F310-05A1-48AE-B002-8F4C7FA62EB3"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*","matchCriteriaId":"4D3B2C32-16D8-415B-A49F-060ECE8F0F33"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*","matchCriteriaId":"43BE83C2-C756-4A5A-A340-B7D1FB52078D"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*","matchCriteriaId":"DF340605-8CC8-4543-9F5D-E8602D258CED"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*","matchCriteriaId":"702EBB22-3E9F-4CBE-B855-2E3642C530B1"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*","matchCriteriaId":"7C17AD66-684F-4662-AF16-838FF05F47D5"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*","matchCriteriaId":"13C25963-CAE7-49AA-A941-254DCE289E35"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*","matchCriteriaId":"B6BF0C2F-DD2B-4864-961F-CA808EF22633"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*","matchCriteriaId":"8FBB21E9-CB73-4CB1-841A-D1C08167DB51"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35:*:*:*:node.js:*:*","matchCriteriaId":"4CD55F0B-D854-43D4-A0F5-F83386DB24C9"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36:*:*:*:node.js:*:*","matchCriteriaId":"1097E8DF-3D0E-47C6-882D-E37B22119538"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37:*:*:*:node.js:*:*","matchCriteriaId":"8C60F121-1C0B-4EB5-87EF-F1BED070C13B"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38:*:*:*:node.js:*:*","matchCriteriaId":"04D8514D-CC66-4E6B-90C8-6108F0DAA661"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39:*:*:*:node.js:*:*","matchCriteriaId":"4BB65A73-7BB7-42E4-97A3-4D6305172E05"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*","matchCriteriaId":"A052DFCA-EDCC-43D7-82C7-E5311F6F7687"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40:*:*:*:node.js:*:*","matchCriteriaId":"192A78FB-E141-4F14-8C4A-20A4118B01C9"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*","matchCriteriaId":"12B11714-B961-4330-B241-FC5AF94FDBE8"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*","matchCriteriaId":"37A7C42B-4986-4BB6-BB27-0324A9AA1CFF"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*","matchCriteriaId":"C793834B-64B4-4DE9-BD7D-79B52C30C34E"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*","matchCriteriaId":"7AD455C8-88BE-4A0A-B33D-3A7811FFB753"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*","matchCriteriaId":"26C475A2-997C-4C3A-8CB6-04AB3534BBC3"}]}]}],"references":[{"url":"https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/parse-community/parse-server/pull/10246","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/parse-community/parse-server/pull/10247","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}