Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.
Published: 2026-03-10
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via LDAP Injection
Action: Apply Patch
AI Analysis

Impact

The LDAP authentication adapter in Parse Server until versions 9.5.2-alpha.13 and 8.6.26 concatenates unescaped user input into LDAP Distinguished Names and group search filters. This creates an injection vector that allows an authenticated attacker to alter the bind DN or group membership checks. The attacker can then force a bind or group query that lists the user as a member of any protected group, effectively elevating privileges within the application.

Affected Systems

Parse Server (parse-community:parse-server) deployments that employ the LDAP authentication adapter with group‑based access control. Any configuration using LDAP before the patched releases—specifically before 9.5.2-alpha.13 and 8.6.26—contributes to the vulnerability. Systems still running earlier major or minor releases are also affected.

Risk and Exploitability

The weakness carries a CVSS score of 6, indicating moderate severity. Exploit probability is very low, with an EPSS below 1%, and the vulnerability is not catalogued in the CISA KEV list. Exploitation requires possession of valid LDAP credentials, so the attack is limited to authenticated users. The primary risk is privilege escalation to restricted groups, which could lead to unauthorized access to protected resources.

Generated by OpenCVE AI on April 16, 2026 at 03:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.5.2-alpha.13 or 8.6.26 (or newer that contains the fix).
  • Ensure that LDAP authentication is correctly configured and that the patched code is in use; remove any custom overrides that might re‑introduce unsanitized input handling.
  • If an immediate upgrade is not possible, restrict LDAP account privileges to the minimum required for application operation and audit group membership changes for anomalous patterns.
  • Implement logging of bind DN usage and monitor for repeated authentication failures or unexpected group inclusion that may indicate an attempted LDAP injection.

Generated by OpenCVE AI on April 16, 2026 at 03:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7m6r-fhh7-r47c Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction
History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.
Title Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction
Weaknesses CWE-90
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:59:10.800Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31828

cve-icon Vulnrichment

Updated: 2026-03-11T15:51:51.877Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:20.783

Modified: 2026-03-11T14:28:08.187

Link: CVE-2026-31828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses