Executive Summary

CVE-2026-39321 is a timing side-channel vulnerability in the Parse Server login mechanism. The vulnerability occurs because the server's response time differs depending on whether the submitted username or email exists in the database. If the user does not exist, the server responds immediately. However, if the user exists but the password is incorrect, the server performs a bcrypt password hash comparison first, which takes longer. This timing difference allows an unauthenticated attacker to determine which usernames are valid by measuring response times.

The fix involves normalizing the login response timing by always performing a bcrypt comparison, even when the user does not exist or has no stored password. This is done by using a constant dummy bcrypt hash for comparisons in these cases, ensuring that all authentication attempts take roughly the same amount of time and preventing attackers from inferring user existence based on timing.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to enumerate valid usernames by measuring differences in login response times, which could lead to unauthorized disclosure of user existence information.

Such user enumeration vulnerabilities can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and user privacy by preventing unauthorized access or disclosure of user information.

By enabling attackers to confirm valid usernames, this vulnerability could facilitate targeted attacks or data breaches, potentially violating confidentiality requirements under these regulations.

The fix normalizes login response times to prevent user enumeration, thereby helping to maintain compliance by reducing the risk of unauthorized disclosure of user existence.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to enumerate valid usernames on a Parse Server by measuring differences in login response times. Knowing valid usernames can facilitate targeted attacks such as phishing, password guessing, or brute force attempts.

While the vulnerability does not directly expose passwords or other sensitive data, it leaks information about user existence, which can be leveraged to compromise accounts or escalate attacks.

The fix prevents this by making login response times consistent regardless of user existence, reducing the risk of user enumeration and improving overall security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by measuring the response times of login attempts to the Parse Server. Specifically, an attacker or tester can observe that login requests with non-existent usernames respond significantly faster than those with existing usernames but incorrect passwords, due to the bcrypt comparison delay.

To detect this timing side-channel on your system, you can perform repeated login attempts with different usernames and measure the response times. A consistent measurable difference in response times between non-existent and existent usernames indicates the presence of the vulnerability.

Suggested commands to test this could include using tools like curl or any HTTP client in a script to send login requests and measure response times. For example, using curl with time measurement in a shell script:

• curl -w "%{time_total}\n" -o /dev/null -s -X POST https://your-parse-server/login -d '{"username":"nonexistentuser","password":"any"}'
• curl -w "%{time_total}\n" -o /dev/null -s -X POST https://your-parse-server/login -d '{"username":"existinguser","password":"wrongpassword"}'

By comparing the total time taken for these requests, you can identify if the server leaks timing information that could be exploited for user enumeration.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation for this vulnerability is to update the Parse Server to a fixed version where the timing side-channel has been addressed.

• Upgrade to Parse Server version 9.8.0-alpha.6 or later, or version 8.6.74 or later, where the fix has been implemented.

The fix normalizes login response times by performing a bcrypt password comparison using a constant dummy hash even when the user does not exist or has no stored password, preventing attackers from inferring user existence based on response timing.

As a temporary workaround before upgrading, implementing rate limiting on the login endpoint can slow down automated enumeration attempts, although it does not fully eliminate the timing side-channel.

Useful 0 Not Useful 0