Unauthorized Access in Parse Server Affecting Multiple Versions
CVE-2026-31800

8.8HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
10 March 2026

What is CVE-2026-31800?

Parse Server, an open-source backend that operates on Node.js, contains a significant vulnerability that permits unauthorized access to the internal _GraphQLConfig and _Audience classes. This flaw allows attackers to read, modify, and delete sensitive configurations through the generic /classes/_GraphQLConfig and /classes/_Audience REST API endpoints without requiring master key authentication, circumventing existing protections on dedicated endpoints. The resolution for this security issue is available in versions 9.5.2-alpha.12 and 8.6.25.

Affected Version(s)

parse-server >= 9.0.0 < 9.5.2-alpha.12 < 9.0.0 9.5.2-alpha.12

parse-server < 8.6.25 < 8.6.25

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.