CVE-2026-32248
Published: 12 March 2026
Summary
CVE-2026-32248 is a critical-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching Parse Server to versions 8.6.38 or 9.6.0-alpha.12, which enforce exact-match lookups.
Requires validation of user identifiers in login requests to block crafted inputs that trigger pattern-matching queries instead of exact-match lookups.
Mandates secure configuration settings, such as disabling anonymous authentication (enabled by default), to eliminate the vulnerable authentication provider.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing Parse Server enables remote exploitation (T1190) to obtain valid user sessions without credentials (T1078).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that…
more
does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. This vulnerability is fixed in 9.6.0-alpha.12 and 8.6.38.
Deeper analysisAI
CVE-2026-32248 is a critical authentication bypass vulnerability (CVSS 3.1 score of 9.8) in Parse Server, an open-source backend platform deployable on any Node.js-compatible infrastructure. Affecting versions prior to 9.6.0-alpha.12 and 8.6.38, the flaw arises when using authentication providers that do not validate the format of user identifiers, such as anonymous authentication (enabled by default). An unauthenticated attacker can send a crafted login request that tricks the server into executing a pattern-matching query on MongoDB or PostgreSQL backends instead of an exact-match lookup, enabling account takeover.
Any unauthenticated remote attacker can exploit this vulnerability against Parse Server deployments permitting anonymous authentication. By crafting a login request with a manipulated user identifier, the attacker matches and logs in as an existing user account created via the vulnerable provider, obtaining a valid session token. This grants full access to the victim's account privileges, potentially leading to unauthorized data access, modification, or further compromise depending on application permissions.
Parse Server advisories recommend upgrading to version 8.6.38 or 9.6.0-alpha.12, where the issue is fixed by enforcing exact-match lookups. Details are available in the GitHub security advisory (GHSA-5fw2-8jcv-xh87) and release notes for the patched versions.
Details
- CWE(s)