Main Vulnerability Database SB2026040744

SB2026040744 - Information Exposure Through Timing Discrepancy in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040744

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information Exposure Through Timing Discrepancy (CVE-ID: N/A)

The vulnerability allows a remote attacker to enumerate valid usernames or email addresses.

The vulnerability exists due to observable timing discrepancy in the login endpoint when processing login requests with submitted usernames or email addresses. A remote attacker can send login attempts with incorrect passwords and measure response times to enumerate valid usernames or email addresses.

Accounts without a stored password, such as OAuth-only accounts, are also affected by the timing side channel.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v