Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server’s GraphQL endpoint previously returned "Did you mean …?" suggestions in validation error messages, revealing internal schema metadata such as class names, field names, and mutation names. An attacker who only knows the public application ID can send malformed queries and use these suggestions to reconstruct the entire schema. The result is a disclosure of sensitive structural information that can aid subsequent attacks. This flaw is categorized as a Sensitive Information Exposure (CWE‑209).

Affected Systems

The vulnerability affects parse-community:parse-server deployments running any version older than 8.6.78 or 9.9.1‑alpha.2. The software can be hosted on any Node.js‑capable environment, so any public instance of the affected Parse Server version is susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw through unauthenticated HTTP requests to the GraphQL endpoint; only knowledge of the public application ID is required to begin the iterative discovery process. Because the issue can be fully remediated by upgrading to a patched version, the risk can be mitigated by following the official fix.

Generated by OpenCVE AI on June 12, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.78 or later, or to 9.9.1‑alpha.2 or later if using the alpha series.
  • If an upgrade is not immediately possible, restrict unauthenticated access to the GraphQL endpoint or enforce authentication before GraphQL queries are accepted.
  • Monitor GraphQL error logs for repeated validation‑error patterns that may indicate an enumeration attempt, and investigate any suspicious activity.

Generated by OpenCVE AI on June 12, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8cph-rgr4-g5vj Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
History

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.
Title Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers
Weaknesses CWE-209
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:04:40.587Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47248

cve-icon Vulnrichment

Updated: 2026-06-12T20:04:37.465Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:28.713

Modified: 2026-06-12T19:16:28.713

Link: CVE-2026-47248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:30:31Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information