CVE-2026-33409
Published: 24 March 2026
Summary
CVE-2026-33409 is a critical-severity Improper Authentication (CWE-287) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Patching Parse Server to versions 8.6.52 or 9.6.0-alpha.41 directly remediates the authentication bypass vulnerability exploiting expired third-party auth data tokens.
Enforcing configuration settings to ensure allowExpiredAuthDataToken is set to false (the secure default) prevents activation of the vulnerable authentication path.
Managing authenticators to invalidate expired tokens and enforce secure handling of third-party provider credentials mitigates risks of unauthorized login using provider IDs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing Parse Server directly enables T1190 (exploit public app) to obtain valid session tokens and impersonate accounts via T1078 (valid accounts) without credentials.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked…
more
a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.
Deeper analysisAI
CVE-2026-33409 is an authentication bypass vulnerability (CWE-287) in Parse Server, an open source backend deployable on any Node.js infrastructure. It affects versions prior to 8.6.52 and 9.6.0-alpha.41, but only in deployments where the server option allowExpiredAuthDataToken is explicitly set to true (the default is false). The flaw enables an attacker to log in as any user who has linked a third-party authentication provider without knowing the user's credentials, requiring only the user's provider ID to obtain full account access, including a valid session token. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
An unauthenticated attacker with network access to the Parse Server can exploit this issue if they know a target user's third-party provider ID, which may be discoverable through social engineering, data leaks, or enumeration. Successful exploitation grants complete impersonation of the victim user, allowing arbitrary actions under their privileges, such as data manipulation, privilege escalation if the user has admin rights, or further lateral movement within the application.
Parse Server maintainers have patched the vulnerability in versions 8.6.52 and 9.6.0-alpha.41, as detailed in GitHub security advisory GHSA-pfj7-wv7c-22pr and associated pull requests #10246 and #10247, with commits 8d7df5639c4a35768fe8b78b4580b30e8a74721c and 98f4ba5bcf2c199bfe6225f672e8edcd08ba732d. Security practitioners should upgrade to these versions and review configurations to ensure allowExpiredAuthDataToken remains false, while monitoring for anomalous authentication events.
Details
- CWE(s)