CVE-2026-33498
Parse Server has a query condition depth bypass via pre-validation transform pipeline
Description
### Impact An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. ### Patches The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire. ### Workarounds None.
How to fix CVE-2026-33498
To remediate CVE-2026-33498, upgrade the affected package to a fixed version below.
- —upgrade to 8.6.55 or later
- —upgrade to 9.6.0-alpha.44 or later
Is CVE-2026-33498 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 8.6.55, >= 9.0.0, < 9.6.0
- >= 9.0.0, < 9.6.0-alpha.44
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |