CVE-2026-33538
Published: 24 March 2026
Summary
CVE-2026-33538 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation by applying patches like those in Parse Server versions 8.6.58 and 9.6.0-alpha.52, directly eliminating the vulnerability causing resource-exhausting database scans.
SC-5 provides denial-of-service protection through mechanisms like rate limiting to block parallelized authentication requests that trigger full user database scans.
SC-6 safeguards resource availability by monitoring and limiting unauthorized consumption of database CPU and I/O from unauthenticated requests with arbitrary provider names.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables direct exploitation of an application-layer resource exhaustion flaw (CWE-400) via repeated unauthenticated auth requests, matching T1499.004 Application or System Exploitation for Endpoint Denial of Service.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider…
more
names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.
Deeper analysisAI
CVE-2026-33538 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. In versions prior to 8.6.58 and 9.6.0-alpha.52, the server processes authentication requests containing arbitrary, unconfigured provider names by executing a database query for each one before rejection. Without a database index for unconfigured providers, each request triggers a full collection scan on the user database, enabling resource exhaustion.
An unauthenticated network attacker can exploit this vulnerability with low complexity and no privileges, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending repeated authentication requests with fabricated provider names, the attacker forces multiple full-table scans, which can be parallelized across threads or instances to saturate database CPU and I/O resources, leading to service unavailability. This aligns with CWE-400 (Uncontrolled Resource Consumption).
The Parse Server security advisory (GHSA-g4cf-xj29-wqqr) and related GitHub pull requests (#10270, #10271) detail the patch, available in versions 8.6.58 and 9.6.0-alpha.52 via commits 40eb442e02672986730007d0a1edb22c1c4bd357 and fbac847499e57f243315c5fc7135be1d58bb8e54. Security practitioners should upgrade immediately and monitor for unusual authentication traffic patterns as an interim measure.
Details
- CWE(s)