GHSA-wjqw-r9x4-j59v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wjqw-r9x4-j59v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wjqw-r9x4-j59v/GHSA-wjqw-r9x4-j59v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wjqw-r9x4-j59v
- Aliases
- Published
- 2026-03-17T19:50:44Z
- Modified
- 2026-03-20T12:26:21.533093Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server affected by empty authData bypassing credential requirement on signup
- Details
-
Impact
A user can sign up without providing credentials by sending an empty
authDataobject, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled.Patches
The fix ensures that empty or non-actionable
authDatais treated the same as absentauthDatafor the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present.Workarounds
Use a Cloud Code
beforeSavetrigger on the_Userclass to reject signups whereauthDatais empty and no username/password is provided. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-17T19:50:44Z", "cwe_ids": [ "CWE-287" ], "severity": "MODERATE", "nvd_published_at": "2026-03-18T22:16:26Z" }- References
-
- https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
- https://nvd.nist.gov/vuln/detail/CVE-2026-33042
- https://github.com/parse-community/parse-server/pull/10219
- https://github.com/parse-community/parse-server/pull/10220
- https://github.com/parse-community/parse-server
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server