Skip to main content

Parse Server EUVDEUVD-2026-36537

| CVE-2026-50008 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-12 GitHub_M GHSA-p84r-h6rx-f2xr
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable batch endpoint with no auth per PR:N; C:L/I:L bounded by inner ACL/CLP controls; no availability impact; scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 19:30 vuln.today
Analysis Generated
Jun 12, 2026 - 19:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on parse-server (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 9.8.0.

DescriptionCVE.org

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply - only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.

AnalysisAI

Parse Server's operator-configured route firewall (routeAllowList) is bypassed in versions 9.8.0 through 9.9.1-alpha.3 when external clients POST to the /batch endpoint with sub-requests targeting routes the operator intended to block. The Express middleware enforcing the allow-list runs only against the outer HTTP request URL; the /batch handler dispatches each embedded sub-request to the internal router without re-running that check. Inner authorization controls - Parse authentication, ACL, and CLP - remain in effect, bounding actual data exposure to whatever those controls permit, but the route-level security boundary is defeated entirely. No public exploit has been identified and EPSS is 0.08%, though operators relying on routeAllowList as a primary access-control layer are directly and materially affected.

Technical ContextAI

Parse Server is an open-source Node.js backend exposing a REST API for Parse Platform clients. The routeAllowList server option acts as an operator-configured route firewall implemented as Express middleware (enforceRouteAllowList in src/middlewares.js). It intercepts incoming HTTP requests, normalizes the URL path, and compares it against the configured list before forwarding to the router. The /batch endpoint (handleBatch in src/batch.js) accepts a single POST containing an array of sub-request objects, each specifying method and path, and dispatches them sequentially to the internal router - bypassing the Express middleware layer entirely. The root cause is CWE-863 (Incorrect Authorization): the authorization check is correctly placed for direct requests but is not re-enforced at the internal dispatch point for batch sub-requests. CPE cpe:2.3:a:parse-community:parse-server:*:*:*:*:*:*:*:* covers the affected range. The fix in PR #10482 imports isRouteAllowed() into src/batch.js and calls it for each sub-request path inside handleBatch() before dispatch, rejecting the entire batch if any sub-request path fails the check. The master key intentionally bypasses the sub-request allow-list check, consistent with its privileged role.

RemediationAI

Upgrade Parse Server to version 9.9.1-alpha.3, which adds per-sub-request routeAllowList enforcement inside handleBatch() (upstream fix: https://github.com/parse-community/parse-server/pull/10482). Note that 9.9.1-alpha.3 is a pre-release; operators should evaluate production stability before deploying and monitor the parse-community repository for a stable release incorporating this fix. If immediate upgrade is not possible, remove batch from the routeAllowList to block external access to the batch endpoint entirely - this will break any client features that use batch API calls and should be weighed against the exposure. As a defense-in-depth measure regardless of upgrade status, ensure that every sensitive class and cloud function route is protected by Parse ACL, CLP, and authentication controls so that even if the route firewall is bypassed, data-level authorization remains enforced. The vendor advisory is at https://github.com/parse-community/parse-server/security/advisories/GHSA-p84r-h6rx-f2xr.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-36537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy