Unauthenticated Data Exposure in Parse Server's GraphQL Endpoint
CVE-2026-47248

6.9MEDIUM

Key Information:

Vendor
CVE Published:
12 June 2026

What is CVE-2026-47248?

Parse Server's GraphQL endpoint has a vulnerability that allows unauthorized users to access sensitive schema metadata. This occurs through error messages generated by malformed queries, revealing valuable structures within the application. Malicious users, equipped with just the public application ID, could exploit this weakness to iteratively gather information such as class names, field names, and input specifics. Versions 8.6.78 and 9.9.1-alpha.2 have addressed this issue, enhancing the security posture of affected deployments.

Affected Version(s)

parse-server < 8.6.78 < 8.6.78

parse-server >= 9.0.0, < 9.9.1-alpha.2 < 9.0.0, 9.9.1-alpha.2

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.