Parse Server is an open-source backend framework that supports deployment on any Node.js infrastructure and commonly uses MongoDB as its database. CVE-2026-30941 is a NoSQL injection vulnerability classified under CWE-943, which involves improper neutralization of special elements in data query logic. The vulnerability exists in parse-server versions prior to 8.6.14 and 9.5.2-alpha.1, specifically in the password reset and email verification resend endpoints. These endpoints accept a token parameter that is used directly in MongoDB queries without proper type validation or sanitization, allowing an attacker to inject MongoDB query operators. This injection can be exploited by an unauthenticated attacker to extract sensitive tokens such as password reset tokens and email verification tokens from the database. Notably, if the configuration option emailVerifyTokenReuseIfValid is enabled, the attacker can fully extract and reuse the email verification token to verify a user's email address without needing access to the user's email inbox, effectively bypassing email verification controls. The vulnerability does not require any authentication or user interaction, making it highly exploitable remotely. The flaw is fixed in parse-server versions 8.6.14 and 9.5.2-alpha.1 by implementing proper input validation and sanitization of the token parameter before it is used in database queries.

This vulnerability poses a significant risk to organizations using parse-server with MongoDB and email verification or password reset features enabled. An attacker can remotely extract sensitive tokens without authentication, potentially leading to unauthorized password resets or email verification bypass. This can result in account takeover, unauthorized access to user accounts, and compromise of user identity integrity. The ability to verify email addresses without inbox access undermines trust in the authentication process and can facilitate further attacks such as phishing or privilege escalation. Organizations relying on parse-server for user management and authentication may face data breaches, loss of user trust, and regulatory compliance issues. The vulnerability's ease of exploitation and broad impact on confidentiality and integrity make it a critical concern for any deployment using affected versions.

Organizations should immediately upgrade parse-server to version 8.6.14 or later, or 9.5.2-alpha.1 or later, where the vulnerability is patched. If immediate upgrade is not feasible, temporarily disable email verification and password reset features to reduce exposure. Review and audit all configurations related to emailVerifyTokenReuseIfValid, disabling it if not strictly necessary. Implement additional input validation and sanitization at the application layer to prevent injection of MongoDB operators in token fields. Monitor logs for unusual query patterns or repeated token requests that may indicate exploitation attempts. Employ network-level protections such as Web Application Firewalls (WAFs) configured to detect and block NoSQL injection payloads targeting these endpoints. Conduct thorough security testing and code reviews focusing on query parameter handling to prevent similar injection flaws. Finally, educate development teams on secure coding practices related to NoSQL query construction and input validation.