CVE-2026-33042
MEDIUM
GHSA-wjqw-r9x4-j59v
Lifecycle Timeline
3Description
### Impact A user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. ### Patches The fix ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present. ### Workarounds Use a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided.
Analysis
Node.js authentication bypass allows unauthenticated account creation when empty authData objects bypass credential validation, enabling attackers to establish authenticated sessions without providing required usernames or passwords. This affects applications where anonymous registration is disabled but authentication checks fail to properly validate the authData parameter. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Audit authentication configurations.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today