Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.45 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/pull/10202Issue Tracking
- https://github.com/parse-community/parse-server/pull/10203Issue Tracking
- https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j9Vendor Advisory
FAQ
What is CVE-2026-32944?
CVE-2026-32944 is a vulnerability with a CVSS score of 7.5 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server proce...
How severe is CVE-2026-32944?
CVE-2026-32944 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32944?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.