216.73.216.6

CVE-2026-31828

· Published 10/03/2026 22:16 · Modified 11/03/2026 14:28

Labels: CVE-2026-31828 2026-03-10CVE-2026-31828CWE-90[email protected]

Essential information

Published
10/03/2026 22:16
Modified
11/03/2026 14:28
Author
Creator
CVSS
6.0 MEDIUM (v3) 6.0 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha12:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*
parseplatform / parse-server cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*

References