Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Origin API Exploitation
Action: Apply Patch
AI Analysis

Impact

Parse Server's GraphQL API endpoint omitted respect for the allowOrigin server option in versions prior to 8.6.66 and 9.7.0‑alpha.10. As a result, any web page could set its Origin header to any value and the server answered with the appropriate CORS headers, effectively permitting cross‑origin requests from any website. This bypasses the operator‑configured origin restrictions that are intended to limit which domains may interact with the Parse Server API. Though the REST API correctly enforces these restrictions, the GraphQL endpoint does not, allowing malicious sites to use browser‑based requests to access or manipulate data through GraphQL queries if the user has been authenticated or the data is publicly exposed.

Affected Systems

The vulnerability affects the open‑source Parse Server from the parse-community project. All releases before version 8.6.66 and before the 9.7.0‑alpha.10 release are vulnerable. The affected environment is any deployment of Parse Server on Node.js that relies on the GraphQL API endpoint without a custom proxy or firewall configuration.

Risk and Exploitability

The severity score is CVSS 5.3, indicating a moderate level of risk, while the EPSS score is below 1%, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically exploit the issue by hosting a malicious web page that sends cross‑origin requests the GraphQL endpoint, potentially exfiltrating data or performing unauthorized actions if authentication mechanisms are bypassed or weak. The available patch in versions 8.6.66 and 9.7.0‑alpha.10 removes the logic that ignores the allowOrigin setting, restoring proper CORS enforcement.

Generated by OpenCVE AI on April 2, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Parse Server to at least version 8.6.66 or 9.7.0‑alpha.10.
  • Verify that the allowOrigin configuration is correctly set to trusted origins.
  • If an upgrade is not feasible, consider disabling the GraphQL endpoint or implementing a reverse proxy that enforces CORS restrictions.

Generated by OpenCVE AI on April 2, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q3p6-g7c4-829c GraphQL API endpoint ignores CORS origin restriction
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
Title Parse Server: GraphQL API endpoint ignores CORS origin restriction
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:23:43.697Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34373

cve-icon Vulnrichment

Updated: 2026-03-31T17:23:40.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:19.060

Modified: 2026-04-02T18:40:32.613

Link: CVE-2026-34373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:28Z

Weaknesses