EUVD-2026-12097
GHSA-p2x3-8689-cwpg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14.
Analysis
Parse Server versions prior to 8.6.40 and 9.6.0-alpha.14 contain an authentication bypass vulnerability in their GraphQL WebSocket subscription endpoint that circumvents Express middleware security controls. An unauthenticated attacker can connect directly to the WebSocket endpoint to execute arbitrary GraphQL operations, perform schema introspection despite disabled public introspection, and send complex queries that bypass rate limiting and complexity validation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems and apply vendor patches promptly. Audit authentication configurations and rotate any potentially compromised credentials.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today