CVE-2026-31901 is a vulnerability classified under CWE-204 (Observable Response Discrepancy) found in parse-community's parse-server, an open-source backend framework for Node.js. The issue exists in the email verification endpoint (/verificationEmailRequest) in versions prior to 8.6.34 and 9.6.0-alpha.8 when the verifyUserEmails feature is enabled. The endpoint returns different error responses based on the state of the email address submitted: whether it belongs to an existing user, is already verified, or does not exist at all. This discrepancy in responses allows an unauthenticated attacker to enumerate valid user email addresses by sending crafted requests and analyzing the returned error codes. Such user enumeration can facilitate targeted phishing, credential stuffing, or social engineering attacks. The vulnerability does not require authentication or user interaction and is exploitable remotely over the network. Although it does not directly compromise data confidentiality, integrity, or availability, it leaks sensitive information about user registration status, which is a privacy concern. The vulnerability has been addressed in parse-server versions 8.6.34 and 9.6.0-alpha.8 by standardizing error responses to prevent information leakage. No known exploits are reported in the wild as of the publication date. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and low impact on confidentiality with no impact on integrity or availability.

The primary impact of CVE-2026-31901 is the leakage of user registration information through user enumeration. This can enable attackers to compile lists of valid email addresses registered on affected parse-server deployments. Such information can be leveraged for targeted phishing campaigns, social engineering, brute force or credential stuffing attacks, increasing the risk of account compromise. Organizations relying on parse-server for backend services with email verification enabled may inadvertently expose their user base to privacy violations and subsequent attacks. While the vulnerability does not directly affect system integrity or availability, the indirect consequences can lead to reputational damage, loss of user trust, and potential regulatory compliance issues related to user data privacy. Enterprises with large user bases or those in regulated industries should consider this vulnerability a significant privacy risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate the risk of future exploitation.

The primary mitigation is to upgrade parse-server to version 8.6.34 or later, or 9.6.0-alpha.8 or later, where the vulnerability is fixed by normalizing error responses to prevent user enumeration. Until upgrades can be applied, administrators should consider implementing additional controls such as rate limiting and IP throttling on the /verificationEmailRequest endpoint to reduce the feasibility of mass enumeration attempts. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious patterns of email verification requests can further mitigate risk. Monitoring logs for repeated failed verification attempts from single IPs or ranges can help identify reconnaissance activity. Additionally, consider disabling email verification temporarily if feasible or implementing CAPTCHAs on the verification request endpoint to hinder automated attacks. Educating users about phishing risks and encouraging strong, unique passwords can reduce the impact of any subsequent attacks leveraging enumerated email addresses.