CVE-2026-31901

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-31901
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.34 Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8 Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856 Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
History

13 Mar 2026, 17:06

Type Values Removed Values Added
First Time Parseplatform
Parseplatform parse-server
CPE cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
Summary
  • (es) Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.34 y 9.6.0-alpha.8, el endpoint de verificación de correo electrónico (/verificationEmailRequest) devuelve respuestas de error distintas dependiendo de si una dirección de correo electrónico pertenece a un usuario existente, ya está verificada o no existe. Un atacante puede enviar solicitudes con diferentes direcciones de correo electrónico y observar los códigos de error para determinar qué direcciones de correo electrónico están registradas en la aplicación. Esta es una vulnerabilidad de enumeración de usuarios que afecta a cualquier despliegue de Parse Server con la verificación de correo electrónico habilitada (verifyUserEmails: true). Esta vulnerabilidad está corregida en las versiones 8.6.34 y 9.6.0-alpha.8.
References () https://github.com/parse-community/parse-server/releases/tag/8.6.34 - () https://github.com/parse-community/parse-server/releases/tag/8.6.34 - Product, Release Notes
References () https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8 - () https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8 - Product, Release Notes
References () https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856 - () https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856 - Patch, Vendor Advisory

11 Mar 2026, 20:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-11 20:16

Updated : 2026-03-13 17:06

NVD link : CVE-2026-31901

Mitre link : CVE-2026-31901

CVE.ORG link : CVE-2026-31901

JSON object : View

Products Affected

parseplatform

  • parse-server
CWE
CWE-204

Observable Response Discrepancy