Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.40 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/pull/10189Issue TrackingPatch
- https://github.com/parse-community/parse-server/pull/10190Issue TrackingPatch
- https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-86MitigationPatchVendor Advisory
FAQ
What is CVE-2026-32594?
CVE-2026-32594 is a vulnerability with a CVSS score of 7.3 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pa...
How severe is CVE-2026-32594?
CVE-2026-32594 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32594?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.