Improper Neutralization of Special Elements in Data Query Logic in Parse Server - CVE-2026-30941

 

Improper Neutralization of Special Elements in Data Query Logic in Parse Server - CVE-2026-30941

Published: April 6, 2026


Vulnerability identifier: #VU124993
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-30941
CWE-ID: CWE-943
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in data query logic in the password reset and email verification resend endpoints when processing the token field in requests. A remote attacker can send a specially crafted token value with MongoDB query operators to disclose sensitive information.

When emailVerifyTokenReuseIfValid is configured, the extracted email verification token can be used to verify a user's email address without inbox access.


How to mitigate CVE-2026-30941

Install security update from vendor's website.

Sources