Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5tkj-suz2-hyf2
Vulnerability ID VCID-5tkj-suz2-hyf2
Aliases CVE-2026-33042
GHSA-wjqw-r9x4-j59v
Summary Parse Server affected by empty authData bypassing credential requirement on signup ### Impact A user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. ### Patches The fix ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present. ### Workarounds Use a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-287 Improper Authentication
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-33042
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-33042
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-33042
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-wjqw-r9x4-j59v
cvssv4 6.9 https://github.com/parse-community/parse-server
generic_textual MODERATE https://github.com/parse-community/parse-server
cvssv4 6.9 https://github.com/parse-community/parse-server/pull/10219
generic_textual MODERATE https://github.com/parse-community/parse-server/pull/10219
ssvc Track https://github.com/parse-community/parse-server/pull/10219
cvssv4 6.9 https://github.com/parse-community/parse-server/pull/10220
generic_textual MODERATE https://github.com/parse-community/parse-server/pull/10220
ssvc Track https://github.com/parse-community/parse-server/pull/10220
cvssv3.1_qr MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
cvssv4 6.9 https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
generic_textual MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2026-33042
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-33042
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-33042
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/pull/10219
https://github.com/parse-community/parse-server/pull/10220
https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
https://nvd.nist.gov/vuln/detail/CVE-2026-33042
GHSA-wjqw-r9x4-j59v https://github.com/advisories/GHSA-wjqw-r9x4-j59v
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10219
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/ Found at https://github.com/parse-community/parse-server/pull/10219
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10220
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/ Found at https://github.com/parse-community/parse-server/pull/10220
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33042
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02007
EPSS Score 0.00013
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:58:32.748624+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wjqw-r9x4-j59v/GHSA-wjqw-r9x4-j59v.json 38.6.0