CVE-2026-33409
HIGHSeverity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token.
This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false.
Patches
Auth providers are now always validated on login, regardless of the allowExpiredAuthDataToken setting. The option allowExpiredAuthDataToken has been deprecated and will be removed in a future major version.
Workarounds
Set allowExpiredAuthDataToken to false (the default) or remove the option from the server configuration.
AnalysisAI
Parse Server authentication bypass in deployments with allowExpiredAuthDataToken enabled allows attackers to impersonate any user with a linked third-party authentication provider by knowing only their provider ID, gaining full account access including valid session tokens. This affects configurations that explicitly set the non-default allowExpiredAuthDataToken option to true. A patch is available that enforces auth provider validation regardless of this setting.
Technical ContextAI
An authentication bypass vulnerability allows attackers to circumvent login mechanisms and gain unauthorized access without valid credentials. This vulnerability is classified as Improper Authentication (CWE-287).
RemediationAI
A vendor patch is available — apply it immediately. Implement robust authentication mechanisms. Use multi-factor authentication. Review authentication logic for bypass conditions. Remove default credentials.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pfj7-wv7c-22pr