CVE-2026-31828
Published: 10 March 2026
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP…
more
Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-supplied authData.id before interpolation into LDAP DNs and filters, preventing LDAP injection exploits.
Mandates identification, reporting, and correction of the specific LDAP injection flaw in Parse Server via patching to fixed versions 8.6.26 or 9.5.2-alpha.13.
Vulnerability scanning and monitoring identifies LDAP injection vulnerabilities like CWE-90 in the authentication adapter before exploitation.
Security SummaryAI
CVE-2026-31828 is an LDAP injection vulnerability in the LDAP authentication adapter of Parse Server, an open source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.5.2-alpha.13 and 8.6.26, user-supplied input from authData.id is directly interpolated into LDAP Distinguished Names (DN) and group search filters without proper escaping of special characters. This flaw, classified under CWE-90 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), affects Parse Server deployments that utilize the LDAP authentication adapter alongside group-based access control.
An attacker with valid LDAP credentials and low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By injecting malicious payloads into the authData.id field, the attacker can manipulate the LDAP bind DN structure and evade group membership validation filters. This enables privilege escalation, allowing any authenticated LDAP user to impersonate membership in any restricted group and gain elevated access within the affected Parse Server instance.
The Parse community has addressed this issue in releases 8.6.26 and 9.5.2-alpha.13, as detailed in the corresponding GitHub release notes and security advisory GHSA-7m6r-fhh7-r47c. Security practitioners should upgrade to these fixed versions and review configurations for LDAP authentication adapters using group-based controls to mitigate the risk of exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LDAP injection vulnerability enables low-privileged authenticated attackers to manipulate LDAP queries for privilege escalation by impersonating restricted group memberships, directly facilitating Exploitation for Privilege Escalation (T1068).