Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The fix in versions 9.6.0-alpha.24 and 8.6.47 restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. There is no known workaround.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.47 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/pull/10210Issue Tracking
- https://github.com/parse-community/parse-server/pull/10211Issue Tracking
- https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgVendor Advisory
FAQ
What is CVE-2026-32886?
CVE-2026-32886 is a vulnerability with a CVSS score of 7.5 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling...
How severe is CVE-2026-32886?
CVE-2026-32886 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32886?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.