CVE-2026-33409
HIGH
GHSA-pfj7-wv7c-22pr
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
### Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option `allowExpiredAuthDataToken` is set to `true`. The default value is `false`. ### Patches Auth providers are now always validated on login, regardless of the `allowExpiredAuthDataToken` setting. The option `allowExpiredAuthDataToken` has been deprecated and will be removed in a future major version. ### Workarounds Set `allowExpiredAuthDataToken` to `false` (the default) or remove the option from the server configuration.
Analysis
Parse Server authentication bypass in deployments with `allowExpiredAuthDataToken` enabled allows attackers to impersonate any user with a linked third-party authentication provider by knowing only their provider ID, gaining full account access including valid session tokens. This affects configurations that explicitly set the non-default `allowExpiredAuthDataToken` option to `true`. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Verify your Parse Server configuration to determine if `allowExpiredAuthDataToken` is enabled; if enabled, immediately set it to `false` as a temporary measure. Within 7 days: Apply the available vendor patch to all Parse Server instances and validate the patch in a staging environment before production deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today