CVE-2026-33409
Parse Server suffers an authentication bypass on login via partial authData. Affected versions are before 8.6.52 and 9.6.0-alpha.41, where an attacker can log in as a user linked to a third‑party provider if allowExpiredAuthDataToken is true. The attacker only needs the user’s provider ID, gainin...