Open Source Backend Vulnerability in Parse Server by Parse Community
CVE-2026-50008
What is CVE-2026-50008?
Parse Server, an open-source backend framework, has a vulnerability that allows external clients to bypass the routeAllowList setting. Specifically, from version 9.8.0 up to but not including 9.9.1-alpha.3, the routeAllowList option is not properly enforced within certain API routes. The current implementation allows external requests that match the /batch handler to send sub-requests to any unlisted REST API routes, potentially leading to unauthorized access. Although authentication measures and other authorization controls remain intact, the lack of proper route enforcement exposes API endpoints not intended for public access. This vulnerability has been addressed in the subsequent release, version 9.9.1-alpha.3.
Affected Version(s)
parse-server >= 9.8.0, < 9.9.1-alpha.3
