BIT-PARSE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a...

CVE-2026-34373

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This...

GraphQL API endpoint ignores CORS origin restriction

Impact The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly...

GHSA-G4CF-XJ29-WQQR Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Impact An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured...

GHSA-7XG7-RQF6-PW6C Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Impact The GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and...