Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
Published: 2026-03-31
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Patch Immediately
AI Analysis

Impact

Parse Server, an open‑source Node.js backend, had a flaw that allowed HTTP Range requests to skip the afterFind(Parse.File) trigger. The trigger normally enforces authorization checks such as requireUser, and without it an attacker is able to obtain files that should be protected. The vulnerability is a classic example of improper authorization validation (CWE‑285).

Affected Systems

The issue affects parse-community’s Parse Server for all releases before 8.6.71 and before 9.7.1-alpha.1. It applies to installations that use storage adapters that support streaming, such as the default GridFS adapter, on any infrastructure capable of running Node.js.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity, and the EPSS score of less than 1% suggests the likelihood of exploitation is currently low, though the vulnerability is not listed in the KEV catalog. Attackers can trigger the vulnerability remotely by sending a Range-header based download request to a file that is normally gated by an afterFind trigger. If successful, the attacker gains read access to protected files, compromising confidentiality and potentially enabling further exploitation.

Generated by OpenCVE AI on April 2, 2026 at 04:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.71 or newer, or 9.7.1-alpha.1 or newer, which contains the patch that enforces afterFind validation on streaming downloads.
  • Verify that afterFind triggers and requiredUser validators are correctly configured for any protected file types.
  • If immediate upgrade is not possible, temporarily disable HTTP Range support or restrict streaming adapters until a patched version is deployed.
  • Monitor access logs for unexpected file download patterns and audit for unauthorized access after deployment of the fix.

Generated by OpenCVE AI on April 2, 2026 at 04:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hpm8-9qx6-jvwv Parser Server's streaming file download bypasses afterFind file trigger authorization
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
Title Parse Server: Streaming file download bypasses afterFind file trigger authorization
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T20:29:38.765Z

Reserved: 2026-03-30T19:54:55.556Z

Link: CVE-2026-34784

cve-icon Vulnrichment

Updated: 2026-03-31T20:29:34.734Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:29.490

Modified: 2026-04-01T17:06:54.370

Link: CVE-2026-34784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:11:00Z

Weaknesses