Denial of Service in Parse Server Open Source Backend by Parse Community
CVE-2026-32944

8.7HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
18 March 2026

What is CVE-2026-32944?

Parse Server is an open-source backend framework that enables developers to build applications on various infrastructures supporting Node.js. A vulnerability in versions before 9.6.0-alpha.21 and 8.6.45 allows an unauthenticated attacker to exploit deeply nested query condition operators, leading to a crash of the Parse Server process. This denial of service interrupts all connected clients. To address this issue, users are advised to upgrade to the latest versions and configure the requestComplexity.queryDepth server option to implement a depth limit, which is essential for maintaining application availability.

Affected Version(s)

parse-server >= 9.0.0, < 9.6.0-alpha.21 < 9.0.0, 9.6.0-alpha.21

parse-server < 8.6.45 < 8.6.45

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10202
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10203
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.