GHSA-8CPH-RGR4-G5VJ Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers

Impact Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct...

GHSA-WXWM-3FXV-MRVX Directus: GraphQL Schema SDL Disclosure Setting

Summary When GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same...

Information Exposure

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure via the serverspecsgraphql resolver on the /graphql/system endpoint, which returns an SDL representation of the schema...

PT-2026-30330

Name of the Vulnerable Software and Affected Versions Directus affected versions not specified Description When GRAPHQL INTROSPECTION=false is configured, Directus blocks standard GraphQL introspection queries but the /graphql/system endpoint's server specs graphql resolver returns an equivalent...

EUVD-2026-10171

Parse Server: GraphQL type introspection bypass via inline fragments when public introspection is disabled...

CVE-2026-30854

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...

CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...

CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...