Parse Server allows an unauthenticated attacker to take over any user account created with an authentication provider that does not validate the format of the user identifier, such as anonymous authentication. The vulnerability is caused by operator injection in the authentication data identifier; a crafted login request triggers a pattern‑matching query instead of an exact‑match lookup, enabling the attacker to match an existing user and obtain a valid session token for that account. This flaw permits full compromise of the targeted user account and access to all data and operations authorized to that user.

The affected product is parse-community:parse-server. Versions prior to 9.6.0‑alpha.12 and 8.6.38 are vulnerable. Both MongoDB and PostgreSQL database backends are impacted. Any Parse Server deployment that enables anonymous authentication (the default setting) is susceptible. The issue is present in all earlier releases of 9.6.0‑alpha.x before alpha.12 and earlier releases of 8.6.x before 8.6.38.

The CVSS score is 9.3, indicating a critical severity. The EPSS score is <1%, suggesting that exploitation is currently unlikely but possible. It is not listed in the CISA KEV catalog. The attack vector requires network access to the login endpoint, and the attacker must send a specially crafted login request to trigger the pattern‑matching behavior. Because the flaw operates on the authentication layer, a successful exploitation results in remote compromise of user accounts without needing additional privileges or access.