Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers
CVE-2026-47248

6.9MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47248?

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.

Affected Version(s)

parse-server < 8.6.78 < 8.6.78

parse-server >= 9.0.0, < 9.9.1-alpha.2 < 9.0.0, 9.9.1-alpha.2

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10467
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10468
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.