Main Vulnerability Database SB2026040771

SB2026040771 - LDAP injection in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040771

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) LDAP injection (CVE-ID: CVE-2026-31828)

CWE-ID: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the LDAP authentication adapter when constructing LDAP distinguished names and group search filters from user-supplied input. A remote user can supply a specially crafted authData.id value to escalate privileges.

The issue affects deployments that use the LDAP authentication adapter with group-based access control.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c