QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-39321

Back to search

CVE-2026-39321

Published: Apr 7, 2026

Modified: Apr 7, 2026

PUBLISHED

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.

VendorProductVersions

parse-community

parse-server

affected
>= 9.0.0, < 9.8.0-alpha.6
affected
< 8.6.74

Weaknesses (CWE)

CWE-208

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now
CVE-2026-39321 - Security Vulnerability | QwikSec