Skip to main content

Parse Server CVE-2020-15126

MEDIUM
Incorrect Authorization (CWE-863)
2020-07-22 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 22, 2020 - 23:15 nvd
MEDIUM 6.5

DescriptionNVD

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.

AnalysisAI

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object. Affected products include: Parseplatform Parse Server. Version information: version 3.5.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2026-32248 CRITICAL POC
9.8 Mar 12

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

CVE-2026-32242 HIGH POC
7.4 Mar 12

### Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all

CVE-2026-30966 CRITICAL
10.0 Mar 10

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

CVE-2024-27298 CRITICAL
10.0 Mar 01

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotel

CVE-2026-30863 CRITICAL
9.8 Mar 07

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popula

CVE-2026-31840 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

CVE-2026-31871 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

CVE-2026-31856 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

CVE-2023-36475 CRITICAL
9.8 Jun 28

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41878 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41879 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

Share

CVE-2020-15126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy