CVE-2026-30941
Received Received - Intake
NoSQL Injection in Parse Server Enables Token Theft

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password reset and email verification tokens. Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When emailVerifyTokenReuseIfValid is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access. This vulnerability is fixed in 8.6.14 and 9.5.2-alpha.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30941
EUVD
EUVD-2026-10551
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30941 is a NoSQL injection vulnerability in Parse Server versions prior to 8.6.14 and 9.5.2-alpha.1. It occurs in the password reset and email verification resend endpoints where the token parameter is used directly in MongoDB queries without proper type validation.'}, {'type': 'paragraph', 'content': 'An unauthenticated attacker can inject MongoDB query operators via the token field, allowing them to extract sensitive password reset and email verification tokens.'}, {'type': 'paragraph', 'content': "If the server is configured with the emailVerifyTokenReuseIfValid option, the attacker can fully extract the email verification token and verify a user's email address without needing access to the user's inbox."}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an unauthenticated attacker to remotely exploit the Parse Server by injecting malicious queries through the token parameter.'}, {'type': 'list_item', 'content': 'Extraction of password reset tokens, potentially allowing unauthorized password resets.'}, {'type': 'list_item', 'content': "Extraction of email verification tokens, which can be used to verify a user's email address without access to their inbox if emailVerifyTokenReuseIfValid is enabled."}, {'type': 'list_item', 'content': 'Bypassing authentication mechanisms related to password reset and email verification.'}, {'type': 'paragraph', 'content': 'Overall, this leads to a high confidentiality impact by exposing sensitive tokens and potentially compromising user accounts.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-30941 vulnerability, you should upgrade your Parse Server deployment to version 8.6.14 or later, or to version 9.5.2-alpha.1 or later.

These versions include fixes that add proper input type validation at the password reset and email verification resend endpoints, preventing NoSQL injection via the token parameter.

No known workarounds exist, so upgrading is the recommended immediate action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart