Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10.
Published: 2026-03-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Type Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the GraphQL implementation in Parse Server, where inline fragments containing __type queries bypass the public introspection guard when graphQLPublicIntrospection is disabled. This allows unauthenticated users to determine the names of types, such as "User", which is a form of information disclosure. The flaw maps to the CWE-863 weakness of failing to enforce accurate authorization checks for type introspection under controlled circumstances.

Affected Systems

The affected product is the Parse Server open‑source backend. Versions from 9.3.1‑alpha.3 up to, but not including, 9.5.0‑alpha.10 are vulnerable. All instances hosted on any Node.js‑capable infrastructure that have the mentioned range of Parse Server releases should be inspected.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity, and the EPSS score is less than 1 %, implying a low likelihood of exploitation at the time of assessment. The issue is not listed in CISA’s KEV catalog. Exploitation requires a client with network access to the exposed GraphQL endpoint and the knowledge that public introspection has been disabled; an attacker can simply send crafted inline‑fragment queries to discover type names.

Generated by OpenCVE AI on April 17, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.5.0‑alpha.10 or later to apply the official fix for the GraphQL introspection bypass.
  • If an upgrade cannot be performed immediately, restrict access to the GraphQL endpoint so that only authenticated users or trusted clients can reach it, for example by placing a firewall or API gateway in front of the service.
  • Confirm that the feature flag `graphQLPublicIntrospection` remains disabled; this flag alone does not protect against the bypass and should only be used in combination with the vendor patch.

Generated by OpenCVE AI on April 17, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q5q9-2rhp-33qw Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
History

Tue, 10 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Sat, 07 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10.
Title Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:25:03.815Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30854

cve-icon Vulnrichment

Updated: 2026-03-09T16:44:24.657Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T17:15:52.910

Modified: 2026-03-10T16:52:21.327

Link: CVE-2026-30854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses