Home / Vulnerability Intelligence / CVE-2026-31828

CVE-2026-31828 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 11, 2026

Parse Server - LDAP Injection

Published: March 10, 2026Updated: March 11, 2026Remote Exploitable

Overview

Parse Server < 9.5.2-alpha.13 and < 8.6.26 contains an LDAP injection caused by unescaped user input in LDAP DN and group search filters, letting authenticated LDAP users escalate privileges by bypassing group checks.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated LDAP users can escalate privileges to any restricted group, potentially gaining unauthorized access.

Mitigation

Update to versions 9.5.2-alpha.13 or 8.6.26 or later.

References

https://github.com/parse-community/parse-server/releases/tag/8.6.26
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13
https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-31828
Severity: High
CVSS Score: 8.8
Type: ldap_injection
Status: confirmed

CWE

CWE-90

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H