Parse Server is an open-source backend framework that runs on Node.js and is widely used for mobile and web applications. CVE-2026-33323 is a vulnerability classified under CWE-204 (Observable Response Discrepancy) affecting parse-server versions prior to 8.6.51 and 9.6.0-alpha.40. The vulnerability exists in the Pages route and the legacy PublicAPI route responsible for resending email verification links. These routes return different HTTP redirect responses depending on whether the provided username exists and whether the associated email is unverified. This discrepancy allows an unauthenticated attacker to perform username enumeration by analyzing the redirect targets, which differ between valid and invalid usernames or email verification states. The vulnerability stems from the fact that the emailVerifySuccessOnInvalidEmail configuration option, designed to prevent such enumeration by returning uniform responses, was not applied to these specific routes. Exploiting this flaw requires no authentication or user interaction, making it easier for attackers to gather valid usernames for further attacks such as phishing, credential stuffing, or social engineering. The issue was addressed and patched in parse-server versions 8.6.51 and 9.6.0-alpha.40 by ensuring consistent response behavior across all relevant routes. There are no known exploits in the wild at the time of publication, but the medium CVSS score of 6.3 reflects the moderate risk posed by this information disclosure vulnerability.

The primary impact of this vulnerability is information disclosure through user enumeration. Attackers can identify valid usernames on affected parse-server deployments without authentication, which can facilitate targeted phishing campaigns, brute force attacks, or social engineering. While it does not directly allow system compromise or data manipulation, the ability to enumerate users undermines privacy and security by exposing user existence and verification status. Organizations relying on parse-server for backend services, especially those handling sensitive user data or authentication workflows, face increased risk of follow-on attacks. This can lead to reputational damage, increased incident response costs, and potential regulatory compliance issues related to user data protection. The vulnerability affects all deployments running vulnerable parse-server versions, regardless of infrastructure, making it a widespread concern for developers and enterprises using this backend technology.

To mitigate this vulnerability, organizations should upgrade parse-server to version 8.6.51 or later, or 9.6.0-alpha.40 or later, where the issue is patched. If immediate upgrade is not feasible, administrators should review and modify the email verification resend routes to ensure uniform response behavior regardless of username validity or email verification status, effectively disabling user enumeration. Additionally, enabling and verifying the emailVerifySuccessOnInvalidEmail configuration option is critical to prevent response discrepancies. Implementing rate limiting and monitoring for abnormal request patterns on email verification endpoints can help detect and block enumeration attempts. Security teams should also audit their parse-server configurations and logs for signs of reconnaissance activity. Finally, educating users about phishing risks and enforcing strong authentication mechanisms (e.g., multi-factor authentication) can reduce the impact of any user enumeration.