Cyber Resilience

CVE-2026-33498

HighDDoS

Published: 24 March 2026

Published
24 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33498 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33498 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. In versions prior to 8.6.55 and 9.6.0-alpha.44, the issue allows an unauthenticated HTTP request containing a deeply nested query with logical operators to cause the Parse Server process to hang indefinitely. This renders the server completely unresponsive, necessitating a manual restart, and represents a bypass of the mitigation for the related CVE-2026-32944. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-674 (Uncontrolled Recursion).

Any unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Parse Server instance accessible over the network. Successful exploitation leads to a permanent denial of service, as the server process becomes unresponsive without consuming excessive resources beyond the recursive query processing, forcing administrators to restart the service manually.

The issue has been addressed in Parse Server versions 8.6.55 and 9.6.0-alpha.44, with patches detailed in GitHub commits 2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5 and 85994eff9e7b34cac7e1a2f5791985022a1461d1, as well as pull requests 10257 and 10258. Security practitioners should upgrade to these fixed versions immediately, as outlined in the official advisory at GHSA-9fjp-q3c4-6w3j.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators…

more

to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly describes unauthenticated remote exploitation of a public Parse Server via crafted HTTP query causing indefinite hang through uncontrolled recursion (CWE-674), matching T1499.004 Application or System Exploitation for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32944Same product: Parseplatform Parse-Server
CVE-2026-33508Same product: Parseplatform Parse-Server
CVE-2026-32770Same product: Parseplatform Parse-Server
CVE-2026-34573Same product: Parseplatform Parse-Server
CVE-2026-32886Same product: Parseplatform Parse-Server
CVE-2026-33538Same product: Parseplatform Parse-Server
CVE-2026-30925Same product: Parseplatform Parse-Server
CVE-2026-30946Same product: Parseplatform Parse-Server
CVE-2026-30939Same product: Parseplatform Parse-Server
CVE-2026-30972Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.6.0 · ≤ 8.6.55 · 9.0.0 — 9.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates the vulnerability by applying patches to Parse Server versions 8.6.55 or 9.6.0-alpha.44 that fix the uncontrolled recursion in query processing.

prevent

Denial-of-service protection implements mechanisms like request throttling or filtering to block specially crafted deeply nested queries that hang the server process.

prevent

Information input validation scrutinizes HTTP query parameters for deeply nested logical operators, preventing uncontrolled recursion and server hangs.

References