CVE-2026-33538

Received Received - Intake

Denial of Service via Unindexed Queries in Parse Server

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-24

Last Modified

2026-03-25

Generated

2026-06-16

AI Q&A

2026-03-24

EPSS Evaluated

2026-06-15

NVD

CVE-2026-33538

EUVD

EUVD-2026-14975

Affected Vendors & Products

Vendor	Product	Version / Range
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	to 8.6.58 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-400	The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

Executive Summary

This vulnerability affects Parse Server versions prior to 8.6.58 and 9.6.0-alpha.52. An unauthenticated attacker can send authentication requests using arbitrary provider names that are not configured on the server.

For each such unconfigured provider name, the server executes a database query without an index, causing a full collection scan on the user database.

Because these requests can be sent in parallel, the attacker can saturate database resources, leading to a denial of service condition.

This issue has been fixed in Parse Server versions 8.6.58 and 9.6.0-alpha.52.

Impact Analysis

The vulnerability can be exploited to cause a denial of service (DoS) on the Parse Server backend.

By sending multiple authentication requests with arbitrary, unconfigured provider names, an attacker can overload the database with expensive queries.

This can saturate database resources, potentially making the backend unavailable to legitimate users and disrupting service.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Parse Server to version 8.6.58 or later, or to version 9.6.0-alpha.52 or later. These versions contain patches that prevent unauthenticated attackers from causing denial of service by sending authentication requests with arbitrary, unconfigured provider names.

Hi! I’m here to help you understand CVE-2026-33538. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-33538

Denial of Service via Unindexed Queries in Parse Server

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart