CVE-2026-30941 Overview
CVE-2026-30941 is a NoSQL injection vulnerability in Parse Server, an open source backend that can be deployed to any infrastructure running Node.js. This vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password reset and email verification tokens.
Critical Impact
Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When emailVerifyTokenReuseIfValid is configured, attackers can fully extract the email verification token and use it to verify a user's email address without inbox access.
Affected Products
- parseplatform parse-server versions prior to 8.6.14
- parseplatform parse-server versions prior to 9.5.2-alpha.1
- All Parse Server deployments using MongoDB with email verification or password reset enabled
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30941 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30941
Vulnerability Analysis
This NoSQL injection vulnerability exists in Parse Server's authentication-related endpoints, specifically the password reset and email verification resend functionality. The core issue stems from improper handling of user-supplied input in the token field when constructing MongoDB queries.
When processing password reset or email verification requests, Parse Server accepts a token parameter that should be a simple string value. However, the application fails to validate that the token is actually a string type before passing it to MongoDB queries. This lack of type validation creates an opportunity for attackers to inject MongoDB query operators instead of a plain string value.
An attacker can exploit this by sending specially crafted JSON payloads where the token field contains MongoDB operators such as $regex, $gt, $ne, or other comparison operators. These operators are then interpreted by MongoDB, allowing the attacker to manipulate query logic and potentially extract sensitive token values through blind injection techniques.
Root Cause
The root cause of CVE-2026-30941 is the absence of type validation on the token field before it is used in database queries. Parse Server's password reset and email verification endpoints accept JSON input and directly pass the token field to MongoDB queries without verifying that the value is a string type. This allows attackers to submit objects containing MongoDB operators instead of string tokens, which MongoDB then interprets as query conditions rather than literal values to match.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can send HTTP requests to the password reset or email verification resend endpoints with a maliciously crafted token field. By using MongoDB operators like $regex with iterative queries, an attacker can systematically extract valid tokens character by character. Once a valid password reset or email verification token is extracted, the attacker can use it to reset a user's password or verify their email address without having access to the user's email inbox.
The vulnerability is particularly severe when the emailVerifyTokenReuseIfValid configuration option is enabled, as this allows the email verification token to be reused, giving attackers more time to extract and use the token before it expires or becomes invalid.
Detection Methods for CVE-2026-30941
Indicators of Compromise
- HTTP requests to /parse/requestPasswordReset or /parse/verifyEmailResend endpoints containing JSON objects in the token field instead of string values
- Repeated requests to authentication endpoints with varying token patterns suggesting blind injection attempts
- MongoDB query logs showing unexpected operators like $regex, $gt, $ne, or $exists in authentication-related queries
- Unusual patterns of email verification or password reset token usage from unexpected IP addresses
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing MongoDB operators in token fields
- Monitor application logs for requests where the token parameter contains object notation (curly braces) rather than string values
- Enable detailed MongoDB query logging and alert on queries containing injection operators in the authentication context
- Implement rate limiting on password reset and email verification endpoints to slow down extraction attempts
Monitoring Recommendations
- Set up alerts for high-frequency requests to password reset and email verification endpoints from single IP addresses
- Monitor for patterns of requests with systematically varying token values indicative of blind injection enumeration
- Review access logs for successful password resets or email verifications that weren't initiated by legitimate users
- Track and alert on any unauthorized account access following password reset operations
How to Mitigate CVE-2026-30941
Immediate Actions Required
- Upgrade Parse Server to version 8.6.14 or 9.5.2-alpha.1 immediately
- Review logs for any evidence of exploitation attempts against password reset or email verification endpoints
- Consider temporarily disabling password reset and email verification functionality if immediate patching is not possible
- Implement input validation at the network level to block requests with non-string token values
Patch Information
Parse Server has released security patches that address this vulnerability by implementing proper type validation on the token field. The fix ensures that token values are validated as strings before being used in database queries, preventing MongoDB operator injection.
- Version 8.6.14: Stable release with the security fix - GitHub Parse Server Release 8.6.14
- Version 9.5.2-alpha.1: Alpha release with the security fix - GitHub Parse Server Release 9.5.2-alpha.1
For full technical details, see the GitHub Security Advisory GHSA-vgjh-hmwf-c588.
Workarounds
- Deploy a reverse proxy or WAF in front of Parse Server to validate and sanitize incoming requests to authentication endpoints
- Disable the emailVerifyTokenReuseIfValid configuration option to reduce the window of opportunity for token extraction
- Implement custom middleware to validate that the token field in password reset and email verification requests is a string type before processing
- Consider implementing additional rate limiting and IP-based restrictions on sensitive authentication endpoints
# Example: Disable emailVerifyTokenReuseIfValid in Parse Server configuration
# In your Parse Server configuration file or initialization code:
# Set emailVerifyTokenReuseIfValid to false to limit token reuse exposure
# emailVerifyTokenReuseIfValid: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
