Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | >= 3.5.0, < 8.6.66 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7cPatch
- https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bPatch
- https://github.com/parse-community/parse-server/pull/10334Issue TrackingPatch
- https://github.com/parse-community/parse-server/pull/10335Issue TrackingPatch
- https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7PatchVendor Advisory
FAQ
What is CVE-2026-34373?
CVE-2026-34373 is a vulnerability with a CVSS score of 8.8 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allow...
How severe is CVE-2026-34373?
CVE-2026-34373 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34373?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.