Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.
Published: 2026-03-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability exists in Parse Server’s /verificationEmailRequest endpoint. Key detail from the official description: the endpoint returns distinct error codes depending on whether an email address belongs to a registered user, is already verified, or does not exist. This inconsistency enables an attacker to determine which email addresses are registered in the application (user‑enumeration), classified as CWE‑204. The impact is a disclosure of valid user accounts, which can be leveraged for phishing or credential‑reuse attacks; it does not allow code execution or direct access to other data, but it compromises user confidentiality.

Affected Systems

Deployments of Parse Server using any version prior to 8.6.34 or 9.6.0‑alpha.8 with email verification enabled (verifyUserEmails: true) are affected. The vulnerability is present in all releases listed before the fix, as noted in the vendor’s release announcements.

Risk and Exploitability

Based on the description, the likely attack vector is remote HTTP requests to the publicly exposed /verificationEmailRequest endpoint; no authentication is required. The CVSS score of 6.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of active exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only the ability to send standard HTTP requests and observe response codes, making it accessible to attackers with minimal effort, though the low EPSS mitigates immediate concern.

Generated by OpenCVE AI on March 17, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.34 or newer
  • Upgrade Parse Server to version 9.6.0-alpha.8 or newer

Generated by OpenCVE AI on March 17, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w54v-hf9p-8856 Parse Server vulnerable to user enumeration via email verification endpoint
History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.
Title Parse Server has user enumeration via email verification endpoint
Weaknesses CWE-204
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:01:40.698Z

Reserved: 2026-03-09T21:59:02.689Z

Link: CVE-2026-31901

cve-icon Vulnrichment

Updated: 2026-03-12T20:01:37.925Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:16.120

Modified: 2026-03-13T17:06:01.507

Link: CVE-2026-31901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:20Z

Weaknesses