File Download Bypass Vulnerability in Parse Server by Parse Community
CVE-2026-34784

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34784?

Parse Server, an open-source backend capable of running on any Node.js infrastructure, is affected by a file download vulnerability that allows HTTP Range requests to bypass the afterFind(Parse.File) trigger. This leads to unauthorized access to files that should be secured through afterFind authorization logic and built-in validators like requireUser. The advisory highlights that this vulnerability is patched in versions 8.6.71 and 9.7.1-alpha.1. Users are encouraged to update to these versions to mitigate risks.

Affected Version(s)

parse-server < 8.6.71 < 8.6.71

parse-server >= 9.0.0, < 9.7.1-alpha.1 < 9.0.0, 9.7.1-alpha.1

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10361
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10362
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.