Lucene search
K

9 matches found

OSV
OSV
added 2026/03/11 3:49 p.m.3 views

BIT-PARSE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1 to before version 9.5.0, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypass the...

6.9CVSS5.7AI score0.00278EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/09 5:42 p.m.10 views

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Impact When graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. schema introspection is not affected. Patches The check was chang...

6.9CVSS5.8AI score0.00278EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/09 5:42 p.m.4 views

GHSA-Q5Q9-2RHP-33QW Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Impact When graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. schema introspection is not affected. Patches The check was chang...

6.9CVSS5.8AI score0.00278EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/07 6:44 p.m.2 views

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the type query nested inside inline fragments when public introspection is disabled. An attacker...

6.9CVSS5.8AI score0.00278EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/07 4:24 p.m.2 views

CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...

6.9CVSS5.7AI score0.00278EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/07 4:24 p.m.29 views

CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...

6.9CVSS0.00278EPSS
Exploits0References1
CVE
CVE
added 2026/03/07 4:24 p.m.26 views

CVE-2026-30854

Parse Server vulnerability CVE-2026-30854 affects versions 9.3.1-alpha.3 through before 9.5.0-alpha.10 when graphQLPublicIntrospection is disabled. Nested __type queries inside inline fragments (for example ... on Query { __type(name: "User") { name } }) can bypass introspection controls, enablin...

6.9CVSS5.7AI score0.00278EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/03/07 4:24 p.m.8 views

CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...

6.9CVSS5.7AI score0.00278EPSS
Exploits0References3
Veracode
Veracode
added 2025/07/13 6:0 a.m.5 views

Sensitive Information Disclosure

parse-server is vulnerable to Sensitive Information Disclosure. The vulnerability is due to allowing public introspection of schema metadata without requiring a session token or master key, potentially aiding attackers in mapping the API surface...

5.3CVSS6.2AI score0.00814EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder