6.9

CVE-2026-33042

Parse Server affected by empty authData bypassing credential requirement on signup

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. The fix in 9.6.0-alpha.29 and 8.6.49 ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present. As a workaround, use a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ParseplatformParse-server SwPlatformnode.js Version < 8.6.49
ParseplatformParse-server SwPlatformnode.js Version >= 9.0.0 < 9.6.0
ParseplatformParse-server Version9.6.0 Updatealpha1 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha10 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha11 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha12 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha13 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha14 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha15 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha16 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha17 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha18 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha19 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha2 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha20 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha21 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha22 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha23 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha24 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha25 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha26 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha27 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha28 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha3 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha4 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha5 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha6 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha7 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha8 SwPlatformnode.js
ParseplatformParse-server Version9.6.0 Updatealpha9 SwPlatformnode.js
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.29% 0.209
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com 6.9 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
Vendor Advisory
https://github.com/parse-community/parse-server/pull/10219
Issue Tracking
https://github.com/parse-community/parse-server/pull/10220
Issue Tracking