CVE-2026-30941
NoSQL Injection in Parse Server Enables Token Theft
Publication date: 2026-03-10
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | From 9.0.0 (inc) to 9.5.2 (exc) |
| parseplatform | parse-server | to 8.6.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-943 | The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30941 is a NoSQL injection vulnerability in Parse Server versions prior to 8.6.14 and 9.5.2-alpha.1. It occurs in the password reset and email verification resend endpoints where the token parameter is used directly in MongoDB queries without proper type validation.'}, {'type': 'paragraph', 'content': 'An unauthenticated attacker can inject MongoDB query operators via the token field, allowing them to extract sensitive password reset and email verification tokens.'}, {'type': 'paragraph', 'content': "If the server is configured with the emailVerifyTokenReuseIfValid option, the attacker can fully extract the email verification token and verify a user's email address without needing access to the user's inbox."}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an unauthenticated attacker to remotely exploit the Parse Server by injecting malicious queries through the token parameter.'}, {'type': 'list_item', 'content': 'Extraction of password reset tokens, potentially allowing unauthorized password resets.'}, {'type': 'list_item', 'content': "Extraction of email verification tokens, which can be used to verify a user's email address without access to their inbox if emailVerifyTokenReuseIfValid is enabled."}, {'type': 'list_item', 'content': 'Bypassing authentication mechanisms related to password reset and email verification.'}, {'type': 'paragraph', 'content': 'Overall, this leads to a high confidentiality impact by exposing sensitive tokens and potentially compromising user accounts.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-30941 vulnerability, you should upgrade your Parse Server deployment to version 8.6.14 or later, or to version 9.5.2-alpha.1 or later.
These versions include fixes that add proper input type validation at the password reset and email verification resend endpoints, preventing NoSQL injection via the token parameter.
No known workarounds exist, so upgrading is the recommended immediate action.