Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.
Published: 2026-04-07
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User enumeration via timing side‐channel
Action: Immediate Patch
AI Analysis

Impact

Parse Server exposes a timing side-channel that allows an unauthenticated attacker to distinguish between non‐existent and existing usernames. The vulnerability arises because the login endpoint returns immediately when a user is not found, but introduces a measurable delay when the username exists and the password is wrong due to a bcrypt comparison. This difference reveals the existence of accounts, posing a risk of credential stuffing or targeted attacks. The weakness is classified as CWE‑208, indicating a privacy exposure due to cryptographic timing differences.

Affected Systems

The affected product is the Parse Server open‑source backend, maintained by the parse-community. Versions prior to 9.8.0‑alpha.6 and 8.6.74 are vulnerable. Down‑stream deployments running these legacy releases, regardless of hosting environment, are at risk.

Risk and Exploitability

The CVSS score of 6.3 reflects a moderate severity, primarily driven by the potential for user enumeration rather than direct code execution. EPSS data is unavailable, but the attack does not require advanced skills beyond measuring response times, making it accessible to a broad range of adversaries. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly confirmed exploitation yet, yet the risk remains significant because enumeration can precede more destructive attacks.

Generated by OpenCVE AI on April 7, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.8.0‑alpha.6 or later, or 8.6.74 or later, which removes the timing discrepancy.
  • If an immediate upgrade is not possible, restrict external access to the login endpoint using firewall rules or internal network segmentation and consider implementing rate limiting to mitigate enumeration attempts.

Generated by OpenCVE AI on April 7, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmpq-5hcv-hf2v Parse Server has a login timing side-channel reveals user existence
History

Wed, 15 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha5:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.
Title Parse Server has a login timing side-channel reveals user existence
Weaknesses CWE-208
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T19:58:57.199Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39321

cve-icon Vulnrichment

Updated: 2026-04-07T18:45:22.670Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:43.090

Modified: 2026-04-15T17:20:11.180

Link: CVE-2026-39321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:44Z

Weaknesses