CVE-2026-33498
Received Received - Intake
Denial of Service in Parse Server via Nested Query Injection

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33498
Affected Vendors & Products
Showing 45 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server to 8.6.55 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Parse Server, an open source backend that runs on Node.js. Before versions 8.6.55 and 9.6.0-alpha.44, an attacker could send an unauthenticated HTTP request containing a deeply nested query with logical operators. This specially crafted query causes the Parse Server process to hang permanently, making the server completely unresponsive until it is manually restarted.

This issue is a bypass of a previous fix (CVE-2026-32944) and has been addressed in the patched versions 8.6.55 and 9.6.0-alpha.44.

Impact Analysis

The vulnerability can cause the Parse Server to become completely unresponsive due to a permanent hang triggered by a malicious query. This results in a denial of service condition where legitimate users cannot access the backend services until the server is manually restarted.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthenticated HTTP requests sent to the Parse Server that contain deeply nested query conditions using logical operators such as $and, $or, or $nor.'}, {'type': 'paragraph', 'content': 'Specifically, queries that exceed the configured maximum query nesting depth (commonly set to 10) and are nested 50 levels deep or more may indicate an attempt to exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'To detect such attempts, you can capture and inspect HTTP requests to the Parse Server REST API for unusually deep nesting in query parameters.'}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious requests might include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP traffic, and then using tools like jq or custom scripts to parse and analyze the JSON query payloads for excessive nesting.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic on port 80 or 443 (if not encrypted): tcpdump -i eth0 -A 'tcp port 80'"}, {'type': 'list_item', 'content': 'Extract HTTP POST requests to the Parse Server REST API endpoints and save the JSON payloads.'}, {'type': 'list_item', 'content': 'Use a script or jq to parse the JSON queries and check for nesting depth of $and, $or, and $nor operators exceeding the configured limit.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves bypassing query depth validation by deeply nested logical operators, detection focuses on identifying such deeply nested queries in unauthenticated requests.'}] [1]

Mitigation Strategies

The immediate and most effective mitigation is to upgrade the Parse Server to version 8.6.55 or later, or 9.6.0-alpha.44 or later, where this vulnerability has been patched.

The patch enforces early validation of query nesting depth, preventing excessively nested queries from being processed and thus avoiding denial-of-service conditions.

If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting or blocking unauthenticated requests with suspiciously complex query payloads.

Additionally, monitor server responsiveness and be prepared to manually restart the Parse Server process if it becomes unresponsive due to an attack.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33498. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart