VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-crd1-u2dd-6yh2

Essentials
Severities (24)
References (9)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-crd1-u2dd-6yh2
Aliases	CVE-2026-33538 GHSA-g4cf-xj29-wqqr
Summary	Parse Server: Denial of Service via unindexed database query for unconfigured auth providers ### Impact An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. ### Patches The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database. ### Workarounds There is no known workaround other than upgrading.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-400	Uncontrolled Resource Consumption
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00142	https://api.first.org/data/v1/epss?cve=CVE-2026-33538
epss	0.00142	https://api.first.org/data/v1/epss?cve=CVE-2026-33538
epss	0.00142	https://api.first.org/data/v1/epss?cve=CVE-2026-33538
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-g4cf-xj29-wqqr
cvssv4	8.7	https://github.com/parse-community/parse-server
generic_textual	HIGH	https://github.com/parse-community/parse-server
cvssv4	8.7	https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
generic_textual	HIGH	https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
ssvc	Track	https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
cvssv4	8.7	https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54
generic_textual	HIGH	https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54
ssvc	Track	https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54
cvssv4	8.7	https://github.com/parse-community/parse-server/pull/10270
generic_textual	HIGH	https://github.com/parse-community/parse-server/pull/10270
ssvc	Track	https://github.com/parse-community/parse-server/pull/10270
cvssv4	8.7	https://github.com/parse-community/parse-server/pull/10271
generic_textual	HIGH	https://github.com/parse-community/parse-server/pull/10271
ssvc	Track	https://github.com/parse-community/parse-server/pull/10271
cvssv3.1_qr	HIGH	https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
cvssv4	8.7	https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
generic_textual	HIGH	https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
ssvc	Track	https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
cvssv4	8.7	https://nvd.nist.gov/vuln/detail/CVE-2026-33538
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-33538

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-33538
		https://github.com/parse-community/parse-server
		https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
		https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54
		https://github.com/parse-community/parse-server/pull/10270
		https://github.com/parse-community/parse-server/pull/10271
		https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
		https://nvd.nist.gov/vuln/detail/CVE-2026-33538
GHSA-g4cf-xj29-wqqr		https://github.com/advisories/GHSA-g4cf-xj29-wqqr

No exploits are available.

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/ Found at https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/ Found at https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10270

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/ Found at https://github.com/parse-community/parse-server/pull/10270

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10271

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/ Found at https://github.com/parse-community/parse-server/pull/10271

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33538

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.34147
EPSS Score	0.00142
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:58:21.234899+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json	38.6.0