Access Control Bypass in Parse Server Cloud Functions
CVE-2026-34532

9.1CRITICAL

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34532?

A vulnerability in Parse Server allows attackers to bypass access controls for Cloud Functions by manipulating the function name in the URL. Specifically, by appending "prototype.constructor", unauthenticated users can invoke functions that should be protected by validators such as requireUser or requireMaster. This flaw arises from the differences in traversal between Cloud Function handlers and their access control validators, leading to potential unauthorized access. Versions 8.6.67 and 9.7.0-alpha.11 include patches addressing this issue.

Affected Version(s)

parse-server < 8.6.67 < 8.6.67

parse-server >= 9.0.0, < 9.7.0-alpha.11 < 9.0.0, 9.7.0-alpha.11

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10342
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10343
x_refsource_MISC

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.