Information Exposure Through Timing Discrepancy in Parse Server - #VU125011
Published: April 6, 2026
Parse Server
Detailed vulnerability description
The vulnerability allows a remote attacker to enumerate valid usernames or email addresses.
The vulnerability exists due to observable timing discrepancy in the login endpoint when processing login requests with submitted usernames or email addresses. A remote attacker can send login attempts with incorrect passwords and measure response times to enumerate valid usernames or email addresses.
Accounts without a stored password, such as OAuth-only accounts, are also affected by the timing side channel.