Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password reset and email verification tokens. Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When emailVerifyTokenReuseIfValid is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access. This vulnerability is fixed in 8.6.14 and 9.5.2-alpha.1.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: NoSQL injection enabling unauthorized extraction of password reset and email verification tokens
Action: Immediate Patch
AI Analysis

Impact

Parse Server is vulnerable to NoSQL injection because the token field supplied to the password reset and email verification resend endpoints is accepted without type validation. Attackers can embed MongoDB query operators in this field to query the database and retrieve sensitive tokens. If the configuration emailVerifyTokenReuseIfValid is enabled, the attacker can additionally capture a valid email verification token and use it to confirm a user’s email address without accessing the user’s inbox. This flaw permits unauthenticated data disclosure and could facilitate further account compromise. The weakness correlates with CWE‑943, a NoSQL Injection vulnerability.

Affected Systems

The flaw affects any deployment of the parse‑community:parse‑server product running on Node.js with a MongoDB backend that has email verification or password reset enabled. Versions prior to 8.6.14 and 9.5‑alpha.1 are impacted. All installations using these versions should be examined.

Risk and Exploitability

The CVSS score of 8.7 categorizes the issue as high severity. The EPSS score is reported as less than 1 %, indicating that widespread exploitation is currently unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it via unauthenticated HTTP requests to the exposed endpoints, making the threat surface public and straightforward to discover.

Generated by OpenCVE AI on April 17, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.14 or 9.5.2-alpha.1 or later, which contains the fix for the injection issue.
  • If an upgrade cannot be performed immediately, disable the password reset and email verification resend endpoints or restrict them to internal network access to prevent unauthenticated token usage.
  • If the emailVerifyTokenReuseIfValid setting is enabled, set it to false until the upgrade is applied to eliminate the possibility of extracting a usable verification token.

Generated by OpenCVE AI on April 17, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vgjh-hmwf-c588 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
History

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password reset and email verification tokens. Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When emailVerifyTokenReuseIfValid is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access. This vulnerability is fixed in 8.6.14 and 9.5.2-alpha.1.
Title Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
Weaknesses CWE-943
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:01:15.699Z

Reserved: 2026-03-07T17:34:39.978Z

Link: CVE-2026-30941

cve-icon Vulnrichment

Updated: 2026-03-10T16:57:29.617Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:53.943

Modified: 2026-03-11T19:42:29.430

Link: CVE-2026-30941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses