Parse Server 授权问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 8.6.71 and 9.7.1-alpha.1 contain vulnerabilities related to authorization. These vulnerabilities stem from HTTP Range requests...

PT-2026-29272

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.67 Parse Server versions prior to 9.7.0-alpha.11 Description Parse Server is an open source backend deployable on Node.js infrastructures. An attacker can bypass Cloud Function validator access controls by...

PT-2026-29277

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.68 Parse Server versions prior to 9.7.0-alpha.12 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to a denial-of-service condition. A crafted GraphQL quer...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.64 and 9.7.0-alpha.8. These vulnerabilities allowed attackers to send concurrent login...

Parse Server 竞争条件问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were vulnerabilities due to concurrency issues in versions of Parse Server prior to 8.6.65 and 9.7.0-alpha.9. These vulnerabilities stemmed from the sensitive...

PT-2026-29278

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.69 and 9.7.0-alpha.14 Description An authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the session update endpoint. This...

@kontaa/subgraph (>=1.0.1 <=1.2.3), @kontaa/utils (>=1.2.1 <=1.2.3) +6 more potentially affected by CVE-2026-34373 via parse-server (>=5.6.0 <=7.5.4)

parse-server NPM version =5.6.0, =1.0.1, =1.2.1, =2.4.46, =1.0.0, =1.0.1, =1.0.0, =1.0.0, =1.0.1 - servable-publishable =1.1.0 Source cves: CVE-2026-34373 Source advisory: SNYK:JS-PARSESERVER-15855397...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34373 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34373 Source advisory: SNYK:JS-PARSESERVER-15855397...

Origin Validation Error

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Origin Validation Error via the GraphQL API endpoint ignoring the configured CORS allowOrigin restriction. An attacker can...

@kontaa/subgraph (>=1.0.1 <=1.2.3), @kontaa/utils (>=1.2.1 <=1.2.3) +6 more potentially affected by CVE-2026-34373 via parse-server (>=5.6.0 <=7.5.4)

parse-server NPM version =5.6.0, =1.0.1, =1.2.1, =2.4.46, =1.0.0, =1.0.1, =1.0.0, =1.0.0, =1.0.1 - servable-publishable =1.1.0 Source cves: CVE-2026-34373 Source advisory: OSV:GHSA-Q3P6-G7C4-829C...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34373 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34373 Source advisory: OSV:GHSA-Q3P6-G7C4-829C...

GHSA-Q3P6-G7C4-829C GraphQL API endpoint ignores CORS origin restriction

Impact The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly...

GraphQL API endpoint ignores CORS origin restriction

Impact The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-34363 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-34363 Source advisory: OSV:GHSA-M983-V2FF-WQ65...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34363 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34363 Source advisory: OSV:GHSA-M983-V2FF-WQ65...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34363 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34363 Source advisory: SNYK:JS-PARSESERVER-15855398...

GHSA-M983-V2FF-WQ65 LiveQuery protected field leak via shared mutable state across concurrent subscribers

Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent...

LiveQuery protected field leak via shared mutable state across concurrent subscribers

Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent...

Race Condition

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition in the handling of concurrent LiveQuery subscribers due to shared mutable state. An attacker can access...

PT-2026-29167

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.66 Parse Server versions prior to 9.7.0-alpha.10 Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the GraphQL API endpoint does not enforce the...