Parse Server vulnerable to user enumeration via email verification endpoint

Impact The email verification endpoint /verificationEmailRequest returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to...

GHSA-W54V-HF9P-8856 Parse Server vulnerable to user enumeration via email verification endpoint

Impact The email verification endpoint /verificationEmailRequest returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to...

EUVD-2026-11280

Parse Server's MFA recovery codes not consumed after use...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.4) potentially affected by CVE-2026-31875 via parse-server (>=9.6.0-alpha.37 <=9.6.0-alpha.43)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.4 Source cves: CVE-2026-31875 Source advisory: SNYK:JS-PARSESERVER-15469015...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31875 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31875 Source advisory: OSV:GHSA-4HF6-3X24-C9M8...

Operation on a Resource after Expiration or Release

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the recovery code. An attacker can repeatedly gain unauthorized...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.4) potentially affected by CVE-2026-31875 via parse-server (>=9.6.0-alpha.37 <=9.6.0-alpha.43)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.4 Source cves: CVE-2026-31875 Source advisory: OSV:GHSA-4HF6-3X24-C9M8...

GHSA-4HF6-3X24-C9M8 Parse Server's MFA recovery codes not consumed after use

Impact When multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recover...

EUVD-2026-11279

Parse Server has a protected fields bypass via dot-notation in query and sort...

Parse Server has a protected fields bypass via dot-notation in query and sort

Impact The protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This...

GHSA-R2M8-PXM9-9C4G Parse Server has a protected fields bypass via dot-notation in query and sort

Impact The protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31872 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31872 Source advisory: OSV:GHSA-R2M8-PXM9-9C4G...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.4) potentially affected by CVE-2026-31872 via parse-server (>=9.6.0-alpha.37 <=9.6.0-alpha.43)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.4 Source cves: CVE-2026-31872 Source advisory: OSV:GHSA-R2M8-PXM9-9C4G...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the handling of protectedFields permissions when processing query WHERE clauses and sort paramete...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.4) potentially affected by CVE-2026-31872 via parse-server (>=9.6.0-alpha.37 <=9.6.0-alpha.43)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.4 Source cves: CVE-2026-31872 Source advisory: SNYK:JS-PARSESERVER-15468853...

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...

GHSA-GQPP-XGVH-9H7H Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.4) potentially affected by CVE-2026-31871 via parse-server (>=9.6.0-alpha.37 <=9.6.0-alpha.43)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.4 Source cves: CVE-2026-31871 Source advisory: SNYK:JS-PARSESERVER-15469164...

SQL Injection

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the Increment operation on PostgreSQL when handling nested object fields using dot notation. An attacker ca...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31871 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31871 Source advisory: OSV:GHSA-GQPP-XGVH-9H7H...