What is the severity of CVE-2026-32248?

CVE-2026-32248 has a CVSS v3 score of 9.8, which is classified as Critical severity.

Is there an exploit available for CVE-2026-32248?

No known public exploits are currently available for CVE-2026-32248.

Is there a patch available for CVE-2026-32248?

Yes, patches are available for CVE-2026-32248. Check the vendor advisories for update instructions.

CVE-2026-32248 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-32248?

### Impact An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. ### Patches The fix enforces that the user identifier in authentication data is a string before using it in a database query. Non-string values are rejected with a validation error. ### Workarounds There is no known workaround. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.38

Published: May 23, 2026

Last updated:2 days ago (May 23, 2026)

Updated May 23, 2026

Impact

An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable.

Patches

The fix enforces that the user identifier in authentication data is a string before using it in a database query. Non-string values are rejected with a validation error.

Workarounds

There is no known workaround.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87
Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12
Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.38

Strobes VI. (2026). CVE-2026-32248 - CVE Details and Analysis. Strobes VI. Retrieved May 25, 2026, from https://vi.strobes.co/cve/CVE-2026-32248

Vendor	Product
Parseplatform	Parse Server

NVD: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. This vulnerability is fixed in 9.6.0-alpha.12 and 8.6.38.

Ready for Agentic Automated Testing?

CVE-2026-32248

Impact

Patches

Workarounds

References