Auth bypass in Parse-community Parse-server

CVE-2026-34532

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.co…

Vulnerability class: Broken Access Control

EPSS: 0.000 (12.9th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.67, >= 9.0.0, < 9.7.0-alpha.11

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6 (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10342 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10343 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674 (x_refsource_MISC)