Skip to main content

CVE-2026-33409

HIGH
Improper Authentication (CWE-287)
2026-03-19 https://github.com/parse-community/parse-server GHSA-pfj7-wv7c-22pr
7.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 19, 2026 - 22:00 vuln.today
Patch released
Mar 19, 2026 - 22:00 nvd
Patch available
CVE Published
Mar 19, 2026 - 21:32 nvd
HIGH 7.0

DescriptionGitHub Advisory

Impact

An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token.

This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false.

Patches

Auth providers are now always validated on login, regardless of the allowExpiredAuthDataToken setting. The option allowExpiredAuthDataToken has been deprecated and will be removed in a future major version.

Workarounds

Set allowExpiredAuthDataToken to false (the default) or remove the option from the server configuration.

AnalysisAI

Parse Server authentication bypass in deployments with allowExpiredAuthDataToken enabled allows attackers to impersonate any user with a linked third-party authentication provider by knowing only their provider ID, gaining full account access including valid session tokens. This affects configurations that explicitly set the non-default allowExpiredAuthDataToken option to true. A patch is available that enforces auth provider validation regardless of this setting.

Technical ContextAI

An authentication bypass vulnerability allows attackers to circumvent login mechanisms and gain unauthorized access without valid credentials. This vulnerability is classified as Improper Authentication (CWE-287).

RemediationAI

A vendor patch is available — apply it immediately. Implement robust authentication mechanisms. Use multi-factor authentication. Review authentication logic for bypass conditions. Remove default credentials.

Share

CVE-2026-33409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy