Main Vulnerability Database Vulnerabilities #VU124984

#VU124984 LDAP injection in Parse Server - CVE-2026-31828

Published: April 6, 2026 / Updated: April 7, 2026

Vulnerability identifier: #VU124984

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-31828

CWE-ID: CWE-90

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the LDAP authentication adapter when constructing LDAP distinguished names and group search filters from user-supplied input. A remote user can supply a specially crafted authData.id value to escalate privileges.

The issue affects deployments that use the LDAP authentication adapter with group-based access control.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c

#VU124984 LDAP injection in Parse Server - CVE-2026-31828

Description

Remediation

External links

Please verify you're human