Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server’s routeAllowList feature is meant to restrict external clients to a predefined list of REST API routes. The enforcement is performed only as Express middleware that examines the outer HTTP request URL. When a caller issues a request to the /batch endpoint, the server dispatches each sub‑request internally to the router without re‑applying the allow‑list check. This allows an attacker to send batch sub‑requests that target routes omitted from the allow‑list, granting access to API endpoints that the operator intended to block. Authentication, ACL, and CLP controls are still enforced on the inner routes, so the attacker does not automatically gain full privileges, but the operator‑defined route firewall is bypassed, potentially exposing or modifying data if the inner authorizations are insufficient. The likely attack vector is sending an HTTP request to the /batch endpoint with crafted sub‑requests.

Affected Systems

The vulnerability affects the parse-community Parse Server product. Versions ranging from 9.8.0 up to but excluding 9.9.1‑alpha.3, when deployed on any Node.js‑capable infrastructure, are susceptible.

Risk and Exploitability

The CVSS score of 6.9 places this flaw in the medium range, and the EPSS score of less than 1% indicates a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to reach the server remotely over HTTP, know the API surface, and construct a batch payload targeting omitted routes. The internal authentication and ACL layers remain active, but the bypassed route firewall can expose or alter data if those controls are not stringent. Despite the low exploitation likelihood, the potential impact of unauthorized access to protected API routes warrants prompt remediation.

Generated by OpenCVE AI on June 12, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to 9.9.1‑alpha.3 or a newer release, which fixes the routeAllowList bypass.
  • If an upgrade cannot be performed immediately, block external access to the /batch endpoint using firewall rules or network controls until the patched version is deployed.
  • Monitor server logs for batch activity and attempts to access routes that should be restricted by the routeAllowList.

Generated by OpenCVE AI on June 12, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
Title Parse Server: Server option routeAllowList is bypassable through batch sub-requests
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T19:00:55.520Z

Reserved: 2026-06-02T22:46:02.578Z

Link: CVE-2026-50008

cve-icon Vulnrichment

Updated: 2026-06-12T19:00:51.762Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:29.187

Modified: 2026-06-12T19:16:29.187

Link: CVE-2026-50008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:30:06Z

Weaknesses