LDAP injection in Parse Server - CVE-2026-31828

 

LDAP injection in Parse Server - CVE-2026-31828

Published: April 6, 2026 / Updated: April 7, 2026


Vulnerability identifier: #VU124984
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31828
CWE-ID: CWE-90
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the LDAP authentication adapter when constructing LDAP distinguished names and group search filters from user-supplied input. A remote user can supply a specially crafted authData.id value to escalate privileges.

The issue affects deployments that use the LDAP authentication adapter with group-based access control.


How to mitigate CVE-2026-31828

Install security update from vendor's website.

Sources