Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
Published: 2026-03-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

An attacker can send an unauthenticated HTTP request containing a deeply nested query with logical operators to the Parse Server API. The malformed query bypasses the pre‑validation transform pipeline, causing the server to enter a permanent hang state. The Parse Server process becomes unresponsive and must be manually restarted, resulting in a complete service outage. This vulnerability is a direct bypass of a previous fix (CVE-2026-32944) and therefore represents a critical availability flaw.

Affected Systems

The vulnerability impacts the open‑source Parse Platform. Specifically, any deployment of parse‑server before version 8.6.55 or before 9.6.0‑alpha.44 is affected. Users running older 8.x or 9.x releases on Node.js environments are susceptible. The vulnerability applies to all editions of the product, regardless of configuration, as the trigger is an unauthenticated HTTP request.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity due to the impact on availability and the lack of authentication required. The EPSS score of less than 1% suggests that, while the exploit probability is low, the vulnerability can still be leveraged in targeted attacks. The issue is not listed in the CISA KEV catalog, meaning there is no publicly known active exploitation. Attackers would need network access to the Parse Server endpoint and would craft a request with a highly nested query to produce the hang.

Generated by OpenCVE AI on March 25, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch that introduces version 8.6.55 or later for the 8.x line
  • Apply the patch that introduces version 9.6.0‑alpha.44 or later for the 9.x line
  • Verify that your Parse Server instance is running a non‑vulnerable release before restarting or redeploying
  • If upgrade is not feasible, monitor API traffic for unusually deep query structures and consider temporarily blocking requests that exceed a safe depth threshold
  • Ensure the deployment environment is patched regularly and that no legacy versions remain in production

Generated by OpenCVE AI on March 25, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9fjp-q3c4-6w3j Parse Server has a query condition depth bypass via pre-validation transform pipeline
History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha43:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 24 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
Title Parse Server: Query condition depth bypass via pre-validation transform pipeline
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:13.415Z

Reserved: 2026-03-20T16:59:08.887Z

Link: CVE-2026-33498

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:28.149Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T19:16:54.057

Modified: 2026-03-25T21:21:45.887

Link: CVE-2026-33498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:18:59Z

Weaknesses