What is the CVSS score of CVE-2026-32248?

CVE-2026-32248 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PostgreSQL are affected by CVE-2026-32248?

A critical vulnerability in Parse Server allows unauthenticated attackers to hijack user accounts by exploiting weak authentication validation, affecting any deployment with anonymous authentication…. A patch is available.

Is there a public PoC exploit available for CVE-2026-32248?

Yes, a public proof-of-concept exploit is available for CVE-2026-32248. Prioritise patching immediately. EPSS: 0.1%.

PostgreSQL CVE-2026-32248

CRITICAL

Improper Neutralization of Special Elements in Data Query Logic (CWE-943)

2026-03-12 security-advisories@github.com

GHSA-5fw2-8jcv-xh87

Information Disclosure PostgreSQL Node.js Parse Server

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

PoC Detected

Mar 13, 2026 - 19:00 vuln.today

Public exploit code

Analysis Generated

Mar 12, 2026 - 22:55 vuln.today

CVE Published

Mar 12, 2026 - 20:16 nvd

CRITICAL 9.8

DescriptionNVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. This vulnerability is fixed in 9.6.0-alpha.12 and 8.6.38.

AnalysisAI

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

RemediationAI

Within 24 hours: Audit all Parse Server deployments to identify instances with anonymous authentication enabled and document exposure scope; disable anonymous authentication if not operationally required. Within 7 days: Implement compensating controls (WAF rules to block pattern-matching queries, network segmentation limiting Parse Server access, enhanced logging/monitoring for suspicious authentication attempts). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32248 vulnerability details – vuln.today

Back

PostgreSQL CVE-2026-32248

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code