Improper access control in parse-server - CVE-2020-15126
Published: July 22, 2020 / Updated: May 23, 2026
Vulnerability identifier: #VU132203
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-15126
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: MeetFox
Affected software:
parse-server
parse-server
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the viewer GraphQL query when querying the authenticated user's User object and related objects. A remote user can use the viewer query to bypass read security and disclose sensitive information.
The issue affects the authenticated user's User object and objects linked via relation or pointer on that User object.
How to mitigate CVE-2020-15126
Install security update from vendor's website.