Main Vulnerability Database SB2026040774

SB2026040774 - Missing Authorization in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040774

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authorization (CVE-ID: CVE-2026-31800)

The vulnerability allows a remote attacker to read, modify, and delete GraphQL configuration and push audience data.

The vulnerability exists due to missing authorization in the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes when handling requests for internal classes without master key authentication. A remote attacker can send crafted requests to these generic class routes to read, modify, and delete GraphQL configuration and push audience data.

This issue bypasses the master key enforcement present on the dedicated /graphql-config and /push_audiences endpoints.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c