CVE-2026-33538

Received Received - Intake

Denial of Service via Unindexed Queries in Parse Server

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-24

Last Modified

2026-03-25

Generated

2026-05-07

AI Q&A

2026-03-24

EPSS Evaluated

2026-05-05

NVD

CVE-2026-33538

EUVD

EUVD-2026-14975

Affected Vendors & Products

Vendor	Product	Version / Range
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	to 8.6.58 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-400	The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

This vulnerability affects Parse Server versions prior to 8.6.58 and 9.6.0-alpha.52. An unauthenticated attacker can send authentication requests using arbitrary provider names that are not configured on the server.

For each such unconfigured provider name, the server executes a database query without an index, causing a full collection scan on the user database.

Because these requests can be sent in parallel, the attacker can saturate database resources, leading to a denial of service condition.

This issue has been fixed in Parse Server versions 8.6.58 and 9.6.0-alpha.52.

How can this vulnerability impact me? :

The vulnerability can be exploited to cause a denial of service (DoS) on the Parse Server backend.

By sending multiple authentication requests with arbitrary, unconfigured provider names, an attacker can overload the database with expensive queries.

This can saturate database resources, potentially making the backend unavailable to legitimate users and disrupting service.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Parse Server to version 8.6.58 or later, or to version 9.6.0-alpha.52 or later. These versions contain patches that prevent unauthenticated attackers from causing denial of service by sending authentication requests with arbitrary, unconfigured provider names.

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-33538

Denial of Service via Unindexed Queries in Parse Server

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart