Denial-of-Service Vulnerability in Parse Server by Parse Community
CVE-2026-34573

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34573?

Parse Server is an open-source backend that runs on Node.js. Prior to specific versions, a flaw in the GraphQL query complexity validator can be exploited through specially crafted queries. This vulnerability allows unauthenticated attackers to send requests that significantly block the Node.js event loop, creating a denial-of-service scenario that disrupts service for all concurrent users. This issue primarily affects instances where the 'requestComplexity.graphQLDepth' or 'requestComplexity.graphQLFields' settings are enabled. Mitigation has been implemented in versions 8.6.68 and 9.7.0-alpha.12.

Affected Version(s)

parse-server < 8.6.68 < 8.6.68

parse-server >= 9.0.0, < 9.7.0-alpha.12 < 9.0.0, 9.7.0-alpha.12

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10344
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10345
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.