CVE-2026-33042 in parse-server
Summary
by MITRE • 03/19/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. The fix in 9.6.0-alpha.29 and 8.6.49 ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present. As a workaround, use a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability described in CVE-2026-33042 affects Parse Server versions prior to 9.6.0-alpha.29 and 8.6.49, representing a critical authentication bypass flaw that undermines the core security mechanisms of the platform. This issue stems from improper validation of authentication data during user registration processes, creating a pathway for unauthorized account creation. The vulnerability specifically targets the handling of the authData object, which serves as the primary mechanism for authenticating users through various providers including social logins, custom authentication systems, and traditional username/password combinations. When an attacker sends an empty authData object during user signup, the system incorrectly interprets this as a valid authentication state rather than a missing credential scenario.
The technical flaw manifests in the server's validation logic where empty authData objects are not properly distinguished from absent authData, allowing malicious actors to create authenticated sessions without providing proper credentials. This behavior directly violates fundamental security principles and creates a scenario where users can bypass authentication requirements entirely. The vulnerability is particularly concerning because it operates even when anonymous user creation is disabled, meaning that the platform's security configuration intended to prevent unauthorized access is effectively circumvented. This flaw represents a direct violation of CWE-287, which addresses improper authentication issues, and aligns with ATT&CK technique T1078.004 for valid accounts and T1078.002 for additional privileges through legitimate accounts.
The operational impact of this vulnerability extends beyond simple account creation, as it enables attackers to establish persistent authenticated sessions that can be leveraged for further malicious activities. An attacker could potentially use this vulnerability to create multiple accounts, consume platform resources, or gain unauthorized access to protected data and functionality. The bypass of username and password requirements undermines the entire authentication framework, making it possible for unauthorized users to assume legitimate user identities and potentially escalate privileges within the system. This vulnerability affects not only the immediate authentication process but also compromises the integrity of the entire user management system, as it allows for the creation of accounts that should never have been permitted in the first place.
The fix implemented in versions 9.6.0-alpha.29 and 8.6.49 addresses the core issue by ensuring that empty or non-actionable authData objects are treated identically to absent authData for credential validation purposes. This change requires that either valid authentication provider data or explicit username and password credentials be provided during user creation, eliminating the bypass path. The solution aligns with security best practices by enforcing mandatory credential requirements and ensuring that authentication validation is robust against edge cases. Organizations should immediately upgrade to these fixed versions to remediate the vulnerability. As a temporary workaround, administrators can implement a Cloud Code beforeSave trigger on the _User class to reject signup attempts where authData is empty and no username/password is provided, effectively blocking the vulnerability at the application level while maintaining existing functionality. This mitigation approach provides an additional layer of security while the platform is updated to the patched versions.