Remote Stack Overflow Vulnerability in Parse Server by Parse Community
CVE-2026-32886

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
18 March 2026

What is CVE-2026-32886?

Parse Server, an open-source backend framework, was found to have a vulnerability that allows remote clients to crash the server by invoking a specially crafted cloud function name. This exploit leverages the JavaScript prototype chain, leading to a stack overflow. Versions 9.6.0-alpha.24 and 8.6.47 implement a fix that restricts property lookups during cloud function resolution to only own properties, thereby preventing prototype chain traversal. As of now, there are no known workarounds for this issue.

Affected Version(s)

parse-server >= 9.0.0, < 9.6.0-alpha.24 < 9.0.0, 9.6.0-alpha.24

parse-server < 8.6.47 < 8.6.47

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10210
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10211
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.