CVE-2026-31828

EPSS 0.42%
Veröffentlicht 10.03.2026 21:41:48
Zuletzt bearbeitet 11.03.2026 14:28:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 14 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.26

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.5.2

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha10 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha11 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha12 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.337

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c

Patch

Vendor Advisory

https://github.com/parse-community/parse-server/releases/tag/8.6.26

Product

Release Notes

https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-31828

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31828

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31828

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31828