Parse Server is an open-source backend platform that supports Node.js environments and uses databases like MongoDB and PostgreSQL. Versions prior to 9.6.0-alpha.12 and 8.6.38 contain a critical vulnerability (CVE-2026-32248) stemming from improper neutralization of special elements in data query logic (CWE-943). Specifically, when anonymous authentication or other authentication providers that do not validate user identifier formats are enabled, an attacker can craft a login request that manipulates the query logic. Instead of performing an exact-match lookup for the user identifier, the server executes a pattern-matching query, which can match existing user accounts. This flaw allows an unauthenticated attacker to bypass authentication controls and obtain valid session tokens for arbitrary user accounts, effectively taking them over. The vulnerability affects both MongoDB and PostgreSQL backends, indicating the issue lies in the query construction layer rather than the database itself. Exploitation requires no privileges or user interaction, making it highly accessible to attackers. The vulnerability is resolved in parse-server versions 9.6.0-alpha.12 and 8.6.38 by properly sanitizing and validating user identifiers to enforce exact-match queries. No public exploits have been reported yet, but the high severity and ease of exploitation make this a critical risk for affected deployments, especially those with anonymous authentication enabled by default.

This vulnerability allows attackers to completely compromise user accounts without authentication or user interaction, leading to unauthorized access to sensitive data and functionality tied to those accounts. Organizations using vulnerable parse-server versions with anonymous authentication enabled risk widespread account takeover, data breaches, and potential lateral movement within their systems. The ability to obtain valid session tokens undermines the integrity and confidentiality of user data and can disrupt availability if attackers misuse accounts or escalate privileges. Since parse-server is used as a backend for various applications, the impact extends to any connected services or data stores. The vulnerability affects both MongoDB and PostgreSQL backends, broadening the scope of affected deployments. Exploitation could lead to loss of user trust, regulatory penalties, and operational disruptions. Given the default enabling of anonymous authentication, many deployments may be unknowingly exposed, increasing the global risk.

Organizations should immediately upgrade parse-server to version 9.6.0-alpha.12 or 8.6.38 or later, where the vulnerability is fixed. If upgrading is not immediately possible, disable anonymous authentication or any authentication providers that do not validate user identifier formats to prevent exploitation. Implement strict input validation and sanitization on all user identifiers to enforce exact-match queries and prevent pattern-matching injection. Review and audit authentication flows and session management to detect anomalous login patterns or session token issuance. Employ network-level protections such as rate limiting and IP reputation filtering to reduce attack surface. Monitor logs for suspicious login attempts that may indicate exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block crafted login requests exploiting this vulnerability. Finally, educate development and security teams about the risks of improper query neutralization and enforce secure coding practices for query construction.