Parse Server is an open-source backend platform that runs on Node.js and is widely used to build applications with user authentication features. In versions prior to 8.6.51 and 9.6.0-alpha.40, a vulnerability (CVE-2026-33323) exists in the Pages route and the legacy PublicAPI route responsible for resending email verification links. These routes return different HTTP redirect responses based on whether the provided username exists and whether the associated email is unverified. This discrepancy creates an observable response difference that allows an unauthenticated attacker to enumerate valid usernames by sending requests and analyzing the redirect targets. The vulnerability is classified under CWE-204 (Observable Response Discrepancy), which involves leaking information through differences in system responses. Although parse-server has a configuration option named emailVerifySuccessOnInvalidEmail that masks such enumeration attempts by returning uniform responses, this protection was not applied to the affected routes, leaving them exposed. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. The issue was addressed and patched in versions 8.6.51 and 9.6.0-alpha.40 by ensuring consistent responses regardless of username validity or email verification status. No public exploits have been reported to date, but the flaw could be leveraged for reconnaissance in targeted attacks.

The primary impact of this vulnerability is information disclosure through username enumeration. Attackers can identify valid usernames on systems running vulnerable parse-server versions, which can facilitate further attacks such as credential stuffing, phishing, or social engineering. While it does not directly compromise confidentiality, integrity, or availability of data, the ability to enumerate users undermines privacy and can be a stepping stone for more severe attacks. Organizations using parse-server for user management, especially those with sensitive user bases, risk exposing user identity information. This can lead to reputational damage, increased risk of account takeover, and compliance issues related to data protection regulations. Since the vulnerability is exploitable without authentication or user interaction, it poses a moderate risk to any exposed parse-server deployments that have not applied the patch.

Organizations should upgrade parse-server to version 8.6.51 or later, or 9.6.0-alpha.40 or later, where this vulnerability is patched. If immediate upgrade is not feasible, administrators should verify and enforce the emailVerifySuccessOnInvalidEmail configuration is applied consistently across all routes handling email verification resends, including the Pages and legacy PublicAPI routes. Implementing uniform response behavior regardless of username validity or email verification status is critical to prevent enumeration. Additionally, monitoring and rate limiting requests to these endpoints can reduce the risk of automated enumeration attacks. Logging and alerting on suspicious patterns of repeated email verification requests can help detect exploitation attempts. Finally, educating users and administrators about the risks of username enumeration and encouraging strong multi-factor authentication can mitigate downstream risks.