Cyber Resilience

CVE-2026-32248

Critical

Published: 12 March 2026

Published
12 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32248 is a critical-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32248 is a critical authentication bypass vulnerability (CVSS 3.1 score of 9.8) in Parse Server, an open-source backend platform deployable on any Node.js-compatible infrastructure. Affecting versions prior to 9.6.0-alpha.12 and 8.6.38, the flaw arises when using authentication providers that do not validate the format of user identifiers, such as anonymous authentication (enabled by default). An unauthenticated attacker can send a crafted login request that tricks the server into executing a pattern-matching query on MongoDB or PostgreSQL backends instead of an exact-match lookup, enabling account takeover.

Any unauthenticated remote attacker can exploit this vulnerability against Parse Server deployments permitting anonymous authentication. By crafting a login request with a manipulated user identifier, the attacker matches and logs in as an existing user account created via the vulnerable provider, obtaining a valid session token. This grants full access to the victim's account privileges, potentially leading to unauthorized data access, modification, or further compromise depending on application permissions.

Parse Server advisories recommend upgrading to version 8.6.38 or 9.6.0-alpha.12, where the issue is fixed by enforcing exact-match lookups. Details are available in the GitHub security advisory (GHSA-5fw2-8jcv-xh87) and release notes for the patched versions.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that…

more

does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. This vulnerability is fixed in 9.6.0-alpha.12 and 8.6.38.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Auth bypass in public-facing Parse Server enables remote exploitation (T1190) to obtain valid user sessions without credentials (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30941Same product: Parseplatform Parse-Server
CVE-2026-27804Same product: Parseplatform Parse-Server
CVE-2026-32242Same product: Parseplatform Parse-Server
CVE-2026-30949Same product: Parseplatform Parse-Server
CVE-2026-33409Same product: Parseplatform Parse-Server
CVE-2026-31800Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-30966Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.6.0 · ≤ 8.6.38 · 9.0.0 — 9.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching Parse Server to versions 8.6.38 or 9.6.0-alpha.12, which enforce exact-match lookups.

prevent

Requires validation of user identifiers in login requests to block crafted inputs that trigger pattern-matching queries instead of exact-match lookups.

prevent

Mandates secure configuration settings, such as disabling anonymous authentication (enabled by default), to eliminate the vulnerable authentication provider.

References