Missing Authorization in Parse Server - CVE-2026-31800

 

Missing Authorization in Parse Server - CVE-2026-31800

Published: April 6, 2026


Vulnerability identifier: #VU124981
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-31800
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to read, modify, and delete GraphQL configuration and push audience data.

The vulnerability exists due to missing authorization in the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes when handling requests for internal classes without master key authentication. A remote attacker can send crafted requests to these generic class routes to read, modify, and delete GraphQL configuration and push audience data.

This issue bypasses the master key enforcement present on the dedicated /graphql-config and /push_audiences endpoints.


How to mitigate CVE-2026-31800

Install security update from vendor's website.

Sources