Open Source Backend Vulnerability in Parse Server by Parse Community
CVE-2026-50008

6.9MEDIUM

Key Information:

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50008?

Parse Server, an open-source backend framework, has a vulnerability that allows external clients to bypass the routeAllowList setting. Specifically, from version 9.8.0 up to but not including 9.9.1-alpha.3, the routeAllowList option is not properly enforced within certain API routes. The current implementation allows external requests that match the /batch handler to send sub-requests to any unlisted REST API routes, potentially leading to unauthorized access. Although authentication measures and other authorization controls remain intact, the lack of proper route enforcement exposes API endpoints not intended for public access. This vulnerability has been addressed in the subsequent release, version 9.9.1-alpha.3.

Affected Version(s)

parse-server >= 9.8.0, < 9.9.1-alpha.3

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.