Auth bypass in Parse-community Parse-server

CVE-2026-34784

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its val…

EPSS: 0.000 (3.6th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.71, >= 9.0.0, < 9.7.1-alpha.1

Weakness classification (CWE)

CWE-285 — Improper Authorization

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10361 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10362 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22 (x_refsource_MISC)