CVE-2026-32248
Authentication Bypass in Parse Server via Pattern-Matching Query
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | to 8.6.38 (exc) |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-943 | The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32248 is a critical vulnerability in Parse Server that allows an unauthenticated attacker to take over user accounts created with authentication providers that do not validate the format of the user identifier, such as anonymous authentication.'}, {'type': 'paragraph', 'content': "The attacker sends a specially crafted login request that causes the server to perform a pattern-matching query instead of an exact-match lookup. This lets the attacker match an existing user and obtain a valid session token for that user's account."}, {'type': 'paragraph', 'content': 'The root cause is operator injection in the authentication data identifier, where the server fails to properly sanitize input used in database queries, affecting both MongoDB and PostgreSQL backends.'}, {'type': 'paragraph', 'content': 'This vulnerability is fixed in Parse Server versions 9.6.0-alpha.12 and 8.6.38 by enforcing that the user identifier must be a string and rejecting non-string values with a validation error.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a complete takeover of user accounts without requiring any authentication, privileges, or user interaction.
An attacker exploiting this flaw can obtain valid session tokens for other users, compromising the confidentiality and integrity of those user accounts.
Since the attacker can impersonate legitimate users, this can lead to unauthorized access to sensitive data and actions performed on behalf of those users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-32248 vulnerability, you should upgrade your Parse Server deployment to version 9.6.0-alpha.12 or later if you are using the 9.x series, or to version 8.6.38 or later if you are using the 8.x series.
This vulnerability affects any Parse Server deployment that allows anonymous authentication (enabled by default), so consider disabling anonymous authentication if upgrading immediately is not possible.
The fix enforces that the user identifier in authentication data must be a string before it is used in database queries, preventing operator injection attacks that allow account takeover.