Main Vulnerability Database Vulnerabilities #VU124981

#VU124981 Missing Authorization in Parse Server - CVE-2026-31800

Published: April 6, 2026

Vulnerability identifier: #VU124981

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-31800

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to read, modify, and delete GraphQL configuration and push audience data.

The vulnerability exists due to missing authorization in the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes when handling requests for internal classes without master key authentication. A remote attacker can send crafted requests to these generic class routes to read, modify, and delete GraphQL configuration and push audience data.

This issue bypasses the master key enforcement present on the dedicated /graphql-config and /push_audiences endpoints.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c

#VU124981 Missing Authorization in Parse Server - CVE-2026-31800

Description

Remediation

External links

Please verify you're human