Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.
Published: 2026-03-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification and deletion of GraphQL configuration and push audience data due to master key bypass
Action: Immediate Patch
AI Analysis

Impact

Parse Server allows unauthenticated access to the internal _GraphQLConfig and _Audience classes through the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes. This bypasses the master key enforcement that is present on dedicated endpoints, enabling an attacker to read, modify, or delete GraphQL configuration and push audience data without any credential. The flaw represents an authorization bypass vulnerability (CWE-862) that can compromise the integrity and confidentiality of application configuration and push notification audiences.

Affected Systems

The vulnerability affects Parse Server versions prior to 8.6.25 and 9.5.2-alpha.12, including all 9.5.2-alpha releases up to alpha.11 and any 8.6.x release below 8.6.25. Users running Parse Server on Node.js should verify that they are not using these affected releases.

Risk and Exploitability

With a CVSS score of 8.8 the flaw is considered high severity. The EPSS score is below 1%, indicating low exploitation probability at the time of this analysis, and it is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability by issuing HTTP requests to the exposed generic class routes, which do not require authentication or the master key. The attack path is straightforward for anyone with network access to the Parse Server instance.

Generated by OpenCVE AI on April 16, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Parse Server 8.6.25 or later, and to 9.5.2-alpha.12 or later.
  • Restrict network access to the /classes/_GraphQLConfig and /classes/_Audience endpoints using firewall rules or network segmentation to limit exposure to trusted hosts.
  • Enable monitoring of access logs for these endpoints and alert on unauthorized attempts to detect exploitation.

Generated by OpenCVE AI on April 16, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7xg7-rqf6-pw6c Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
History

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.
Title Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T16:00:38.736Z

Reserved: 2026-03-09T16:33:42.913Z

Link: CVE-2026-31800

cve-icon Vulnrichment

Updated: 2026-03-11T15:53:43.499Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:49.683

Modified: 2026-03-11T18:30:54.260

Link: CVE-2026-31800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses