CVE-2026-34373
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction.
Patches
The GraphQL API endpoint now uses the same CORS middleware as the REST API, ensuring the allowOrigin and allowHeaders server options are consistently enforced across all endpoints.
Workarounds
There is no known workaround other than upgrading.
Resources
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10334
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10335
AnalysisAI
Parse Server's GraphQL API endpoint bypasses the configured allowOrigin CORS restriction, allowing cross-origin requests from any website while the REST API correctly enforces the policy. This authentication bypass affects Parse Server instances where operators have configured origin restrictions to limit API access, enabling attackers from arbitrary websites to interact with the GraphQL endpoint without respecting these security controls. The vulnerability has been patched in Parse Server 8 and 9 via upstream fixes, and no public exploit code or active exploitation has been confirmed.
Technical ContextAI
Parse Server is a Node.js backend framework for building scalable APIs. The vulnerability stems from inconsistent CORS (Cross-Origin Resource Sharing) middleware implementation between the GraphQL and REST API endpoints. The GraphQL endpoint failed to apply the CORS middleware that enforces the allowOrigin and allowHeaders server configuration options, allowing requests from any origin to bypass origin restrictions defined by operators. The root cause is classified under CWE-346 (Origin Validation Error), where the server fails to properly validate the origin of incoming requests. This is a configuration enforcement failure rather than a cryptographic or input validation flaw-the CORS policy mechanism itself was simply not connected to the GraphQL endpoint.
RemediationAI
Upgrade Parse Server to the patched version released for your major version (8.x or 9.x). The fixes are available in PR #10334 for Parse Server 9 and PR #10335 for Parse Server 8, with corresponding commits available in the repository. Verify that your Parse Server deployment applies the CORS middleware consistently across all API endpoints (GraphQL and REST) by checking that the allowOrigin and allowHeaders configuration options are respected. No workaround exists other than upgrading; refer to the GitHub security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c for release information and apply the patch immediately if you have configured origin restrictions.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-q3p6-g7c4-829c