Skip to main content

CVE-2026-34373

MEDIUM
Origin Validation Error (CWE-346)
2026-03-30 https://github.com/parse-community/parse-server GHSA-q3p6-g7c4-829c
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 30, 2026 - 18:15 vuln.today
Patch released
Mar 30, 2026 - 18:15 nvd
Patch available
CVE Published
Mar 30, 2026 - 18:05 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction.

Patches

The GraphQL API endpoint now uses the same CORS middleware as the REST API, ensuring the allowOrigin and allowHeaders server options are consistently enforced across all endpoints.

Workarounds

There is no known workaround other than upgrading.

Resources

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10334
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10335

AnalysisAI

Parse Server's GraphQL API endpoint bypasses the configured allowOrigin CORS restriction, allowing cross-origin requests from any website while the REST API correctly enforces the policy. This authentication bypass affects Parse Server instances where operators have configured origin restrictions to limit API access, enabling attackers from arbitrary websites to interact with the GraphQL endpoint without respecting these security controls. The vulnerability has been patched in Parse Server 8 and 9 via upstream fixes, and no public exploit code or active exploitation has been confirmed.

Technical ContextAI

Parse Server is a Node.js backend framework for building scalable APIs. The vulnerability stems from inconsistent CORS (Cross-Origin Resource Sharing) middleware implementation between the GraphQL and REST API endpoints. The GraphQL endpoint failed to apply the CORS middleware that enforces the allowOrigin and allowHeaders server configuration options, allowing requests from any origin to bypass origin restrictions defined by operators. The root cause is classified under CWE-346 (Origin Validation Error), where the server fails to properly validate the origin of incoming requests. This is a configuration enforcement failure rather than a cryptographic or input validation flaw-the CORS policy mechanism itself was simply not connected to the GraphQL endpoint.

RemediationAI

Upgrade Parse Server to the patched version released for your major version (8.x or 9.x). The fixes are available in PR #10334 for Parse Server 9 and PR #10335 for Parse Server 8, with corresponding commits available in the repository. Verify that your Parse Server deployment applies the CORS middleware consistently across all API endpoints (GraphQL and REST) by checking that the allowOrigin and allowHeaders configuration options are respected. No workaround exists other than upgrading; refer to the GitHub security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c for release information and apply the patch immediately if you have configured origin restrictions.

Share

CVE-2026-34373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy