Home

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-07 | Updated 2026-04-07 | Assigner GitHub_M




MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-208: Observable Timing Discrepancy

Product status

>= 9.0.0, < 9.8.0-alpha.6
affected

< 8.6.74
affected

References

github.com/...server/security/advisories/GHSA-mmpq-5hcv-hf2v

github.com/parse-community/parse-server/pull/10398

github.com/parse-community/parse-server/pull/10399

cve.org (CVE-2026-39321)

nvd.nist.gov (CVE-2026-39321)

Download JSON