Missing Authentication for Critical Function in Parse Server - CVE-2026-32594

 

Missing Authentication for Critical Function in Parse Server - CVE-2026-32594

Published: April 6, 2026


Vulnerability identifier: #VU125004
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-32594
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.

The vulnerability exists due to missing authentication for the GraphQL WebSocket endpoint for subscriptions when handling WebSocket connections. A remote attacker can connect to the endpoint and send GraphQL operations to disclose sensitive information and cause a denial of service.

The issue also allows access to the GraphQL schema via introspection even when public introspection is disabled, and configured query complexity limits are bypassed.


How to mitigate CVE-2026-32594

Install security update from vendor's website.

Sources