Unauthenticated Data Exposure in Parse Server's GraphQL Endpoint
CVE-2026-47248
6.9MEDIUM
What is CVE-2026-47248?
Parse Server's GraphQL endpoint has a vulnerability that allows unauthorized users to access sensitive schema metadata. This occurs through error messages generated by malformed queries, revealing valuable structures within the application. Malicious users, equipped with just the public application ID, could exploit this weakness to iteratively gather information such as class names, field names, and input specifics. Versions 8.6.78 and 9.9.1-alpha.2 have addressed this issue, enhancing the security posture of affected deployments.
Affected Version(s)
parse-server < 8.6.78 < 8.6.78
parse-server >= 9.0.0, < 9.9.1-alpha.2 < 9.0.0, 9.9.1-alpha.2
