CVE-2026-31828 (GCVE-0-2026-31828)
Vulnerability from cvelistv5 – Published: 2026-03-10 21:41 – Updated: 2026-03-11 15:59
VLAI?
Title
Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.
Severity ?
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 9.0.0 < 9.5.2-alpha.13
Affected: < 8.6.26 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:51:50.477327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:59:10.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0 \u003c 9.5.2-alpha.13"
},
{
"status": "affected",
"version": "\u003c 8.6.26"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T21:41:48.146Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13"
}
],
"source": {
"advisory": "GHSA-7m6r-fhh7-r47c",
"discovery": "UNKNOWN"
},
"title": "Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31828",
"datePublished": "2026-03-10T21:41:48.146Z",
"dateReserved": "2026-03-09T17:41:56.077Z",
"dateUpdated": "2026-03-11T15:59:10.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-31828\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T22:16:20.783\",\"lastModified\":\"2026-03-11T14:28:08.187\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.\"},{\"lang\":\"es\",\"value\":\"Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Anteriormente a 9.5.2-alpha.13 y 8.6.26, el adaptador de autenticaci\u00f3n LDAP es vulnerable a la inyecci\u00f3n LDAP. La entrada proporcionada por el usuario (authData.id) se interpola directamente en los Nombres Distinguidos LDAP (DN) y en los filtros de b\u00fasqueda de grupo sin escapar caracteres especiales. Esto permite a un atacante con credenciales LDAP v\u00e1lidas manipular la estructura del DN de enlace y eludir las comprobaciones de membres\u00eda de grupo. Esto posibilita la escalada de privilegios desde cualquier usuario LDAP autenticado a un miembro de cualquier grupo restringido. La vulnerabilidad afecta a los despliegues de Parse Server que utilizan el adaptador de autenticaci\u00f3n LDAP con control de acceso basado en grupos. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.13 y 8.6.26.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-90\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"8.6.26\",\"matchCriteriaId\":\"F3920902-9365-4C17-BB8F-674A28AE52D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.5.2\",\"matchCriteriaId\":\"E66572ED-597B-4D8E-A636-733D463A4E4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"79CCA374-1498-4651-9FF9-F0B73D76CEB9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"2EEA21BC-9699-4625-9319-5C687219C716\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha12:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"D79432DC-A58A-4858-BBA1-2BEECBEBF6E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"6521B8A9-6116-4CAE-9B5E-F22C204B1F0C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"601B2CF1-D29A-42CC-8405-185C1A8E1EB2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"BC9F2B9D-026F-454B-B565-05AA441FA54F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"FDDB20F1-F6A7-4B1E-B075-CC250613D826\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"CA14D0B7-B952-4C4E-B271-3EBB51C03E9C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"19B7C5A9-B59A-4A47-B4F0-13C7C796B496\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0E619B8B-BC91-4F71-B84D-52E563AB8E03\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"6C9DB980-4201-43D3-B019-2A6B325B896E\"}]}]}],\"references\":[{\"url\":\"https://github.com/parse-community/parse-server/releases/tag/8.6.26\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Patch\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-31828\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T15:51:50.477327Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T15:51:51.877Z\"}}], \"cna\": {\"title\": \"Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction\", \"source\": {\"advisory\": \"GHSA-7m6r-fhh7-r47c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"parse-community\", \"product\": \"parse-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 9.0.0 \u003c 9.5.2-alpha.13\"}, {\"status\": \"affected\", \"version\": \"\u003c 8.6.26\"}]}], \"references\": [{\"url\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c\", \"name\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/8.6.26\", \"name\": \"https://github.com/parse-community/parse-server/releases/tag/8.6.26\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13\", \"name\": \"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-90\", \"description\": \"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-10T21:41:48.146Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-31828\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-11T15:59:10.800Z\", \"dateReserved\": \"2026-03-09T17:41:56.077Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-10T21:41:48.146Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…