CVE-2026-33538

Description

### Impact An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. ### Patches The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database. ### Workarounds There is no known workaround other than upgrading.

How to fix CVE-2026-33538

To remediate CVE-2026-33538, upgrade the affected package to a fixed version below.

• —upgrade to 8.6.58 or later
• —upgrade to 9.6.0-alpha.52 or later

Is CVE-2026-33538 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 8.6.58, >= 9.0.0, < 9.6.0
• >= 9.0.0, < 9.6.0-alpha.52

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33538
• PATCHgithub.com/parse-community/parse-server
• WEBgithub.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
• WEBgithub.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54