CVE Tools
Sign in

CVE-2026-34373

Parse Server: GraphQL API endpoint ignores CORS origin restriction

Published: Mar 31, 2026Updated: Apr 2, 2026 Sources: CVE List NVDCWE-346
NVD MITRE
8.8CVSSHIGH
EPSS Score
0.2%
Top 90.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:RS:UC:HI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-346

Affected Products

parse-serverparseplatform
LibraryLibrary
OSS Libraries / generic-library
parse-serverparse-community
LibraryLibrary
OSS Libraries / npm
parseplatformoss-projectOSS Librariesaka parse platform
parse-communityoss-projectOSS Librariesaka parse, parse server, parse-server

Exploitability

Official Patch Available

References

https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263
github.com
https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203
github.com
https://github.com/parse-community/parse-server/pull/10334
github.com
and 2 more references View all →

Timeline

Published
Mar 31, 2026
Last Updated
Apr 2, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-34373 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows