Parse Server’s GraphQL WebSocket endpoint bypasses the Express middleware chain that enforces authentication, introspection control, and query complexity limits in versions prior to 8.6.40 and 9.6.0-alpha.14. An attacker can connect to the WebSocket endpoint without providing a valid application or API key, thereby executing arbitrary GraphQL operations, retrieving the full schema via introspection even when public introspection is disabled, and sending extremely complex queries that bypass configured complexity limits. This vulnerability is a Classic Authentication Bypass (CWE-306) that can lead to unauthorized data disclosure and potential denial‑of‑service conditions by exhausting server resources.

The affected product is the open‑source Parse Server (parse-community:parse-server) for any Node.js‑capable environment. Vulnerable releases are those before 8.6.40 and before 9.6.0-alpha.14, including all 9.6.0-alpha.1 through alpha.13 releases. The issued CPE list shows all 9.6.0-alpha.1–alpha13 plus earlier alpha releases.

The CVSS score is 6.9, indicating moderate severity, and the EPSS probability is less than 1 %. The vulnerability is not listed in the CISA KEV catalog. It can be exploited remotely by connecting to the WebSocket endpoint over the network, without the need for local privileges or valid credentials, thereby enabling the attacker to bypass authentication and other controls.