EUVD-2026-10928

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction...

GHSA-7M6R-FHH7-R47C Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

Impact The LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input authData.id is interpolated directly into LDAP Distinguished Names DN and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bin...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31828 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31828 Source advisory: OSV:GHSA-7M6R-FHH7-R47C...

GHSA-7XG7-RQF6-PW6C Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Impact The GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and...

Missing Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authorization via the generic /classes/GraphQLConfig and /classes/Audience REST API routes, which do not enforce...

EUVD-2026-10889

Parse Server: Classes GraphQLConfig and Audience master key bypass via generic class routes...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31800 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31800 Source advisory: OSV:GHSA-7XG7-RQF6-PW6C...

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Impact The GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and...

EUVD-2026-10888

Parse Server: Classes GraphQLConfig and Audience master key bypass via generic class routes...

EUVD-2026-10886

Parse Server has a rate limit bypass via batch request endpoint...

Improper Control of Interaction Frequency

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Control of Interaction Frequency in the batch endpoint, which processes sub-requests internally and bypasses the...

EUVD-2026-10887

Parse Server has a rate limit bypass via batch request endpoint...

Parse Server has a rate limit bypass via batch request endpoint

Impact Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30972 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30972 Source advisory: OSV:GHSA-775H-3XRC-C228...

EUVD-2026-10884

Parse Server OAuth2 authentication adapter account takeover via identity spoofing...

EUVD-2026-10885

Parse Server OAuth2 authentication adapter account takeover via identity spoofing...

GHSA-FR88-W35C-R596 Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Impact The OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token...

Insufficiently Protected Credentials

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the OAuth2 authentication process when the useridField option is not set. An attacke...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30967 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30967 Source advisory: OSV:GHSA-FR88-W35C-R596...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30966 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30966 Source advisory: OSV:GHSA-5F92-JRQ3-28RC...