Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
GHSA-g4cf-xj29-wqqr · BIT-parse-2026-33538 · CVE-2026-33538
Published · Modified
Description
Impact
An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.
Patches
The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.
Workarounds
There is no known workaround other than upgrading.
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33538
- WEB https://github.com/parse-community/parse-server/pull/10270
- WEB https://github.com/parse-community/parse-server/pull/10271
- WEB https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
- WEB https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54
- PACKAGE https://github.com/parse-community/parse-server
Ready to move
Start Securing
Free, no credit card | First findings in minutes