GHSA-pfj7-wv7c-22pr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pfj7-wv7c-22pr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pfj7-wv7c-22pr/GHSA-pfj7-wv7c-22pr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pfj7-wv7c-22pr
- Aliases
-
- CVE-2026-33409
- Published
- 2026-03-19T21:32:10Z
- Modified
- 2026-03-19T21:46:34.060984Z
- Severity
-
- 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server has an auth provider validation bypass on login via partial authData
- Details
-
Impact
An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token.
This affects Parse Server deployments where the server option
allowExpiredAuthDataTokenis set totrue. The default value isfalse.Patches
Auth providers are now always validated on login, regardless of the
allowExpiredAuthDataTokensetting. The optionallowExpiredAuthDataTokenhas been deprecated and will be removed in a future major version.Workarounds
Set
allowExpiredAuthDataTokentofalse(the default) or remove the option from the server configuration. - Database specific
{ "github_reviewed_at": "2026-03-19T21:32:10Z", "github_reviewed": true, "cwe_ids": [ "CWE-287" ], "nvd_published_at": null, "severity": "HIGH" }- References
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server