Main Vulnerability Database Vulnerabilities #VU124966

Improper access control in Parse Server - #VU124966

Published: April 6, 2026

Vulnerability identifier: #VU124966

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Parse Community

Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in explain query handling when processing public explain queries. A remote attacker can send explain queries without the master key to disclose sensitive information.

The issue may expose database schema structure, field names, index configurations, query optimization details, and query execution statistics.

Remediation

Install security update from vendor's website.

Sources

https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq

Improper access control in Parse Server - #VU124966

Detailed vulnerability description

Remediation

Sources

Please verify you're human