Main Vulnerability Database Vulnerabilities #VU125002

#VU125002 Improper Neutralization of Special Elements in Data Query Logic in Parse Server - CVE-2026-32248

Published: April 6, 2026

Vulnerability identifier: #VU125002

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-32248

CWE-ID: CWE-943

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to take over user accounts.

The vulnerability exists due to improper neutralization of special elements in data query logic in the authentication data identifier handling when processing crafted login requests. A remote attacker can send a specially crafted login request to take over user accounts.

Any deployment that allows anonymous authentication is vulnerable, and both MongoDB and PostgreSQL database backends are affected.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87

#VU125002 Improper Neutralization of Special Elements in Data Query Logic in Parse Server - CVE-2026-32248

Description

Remediation

External links

Please verify you're human