SB2026040751 - Missing Authentication for Critical Function in Parse Server



SB2026040751 - Missing Authentication for Critical Function in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040751
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-32594)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.

The vulnerability exists due to missing authentication for the GraphQL WebSocket endpoint for subscriptions when handling WebSocket connections. A remote attacker can connect to the endpoint and send GraphQL operations to disclose sensitive information and cause a denial of service.

The issue also allows access to the GraphQL schema via introspection even when public introspection is disabled, and configured query complexity limits are bypassed.


Remediation

Install update from vendor's website.