Vulnerability in Parse-community Parse-server

CVE-2026-34595

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields clas…

EPSS: 0.000 (10.7th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.70, >= 9.0.0, < 9.7.0-alpha.18

Weakness classification (CWE)

CWE-843 — Access of Resource Using Incompatible Type (Type Confusion)

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2 (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10350 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10351 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2 (x_refsource_MISC)