Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Parse Server login endpoint discloses user existence
CVE-2026-39321
GHSA-mmpq-5hcv-hf2v
Summary
Parse Server login endpoint reveals whether a user exists, potentially aiding attackers. This is fixed in versions 9.8.0-alpha.6 and 8.6.74. Update to a patched version to prevent unauthorized user enumeration.
What to do
- Update parse-server to version 9.8.0-alpha.6.
- Update parse-server to version 8.6.74.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0 , <= 9.8.0-alpha.6 | 9.8.0-alpha.6 |
| – | parse-server | <= 8.6.74 | 8.6.74 |
Original title
Parse Server has a login timing side-channel reveals user existence
Original description
### Impact
The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames.
### Patches
A dummy bcrypt comparison is now performed when no user is found, normalizing response timing regardless of user existence. Additionally, accounts without a stored password (e.g. OAuth-only) now also run a dummy comparison to prevent the same timing oracle.
### Workarounds
Configure rate limiting on the login endpoint to slow automated enumeration. This reduces throughput but does not eliminate the timing signal for individual requests.
The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames.
### Patches
A dummy bcrypt comparison is now performed when no user is found, normalizing response timing regardless of user existence. Additionally, accounts without a stored password (e.g. OAuth-only) now also run a dummy comparison to prevent the same timing oracle.
### Workarounds
Configure rate limiting on the login endpoint to slow automated enumeration. This reduces throughput but does not eliminate the timing signal for individual requests.
nvd CVSS4.0
6.3
Vulnerability type
CWE-208
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026