Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.71 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed8411Patch
- https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257Patch
- https://github.com/parse-community/parse-server/pull/10361Issue TrackingPatch
- https://github.com/parse-community/parse-server/pull/10362Issue TrackingPatch
- https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qMitigationVendor Advisory
FAQ
What is CVE-2026-34784?
CVE-2026-34784 is a vulnerability with a CVSS score of 7.5 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the af...
How severe is CVE-2026-34784?
CVE-2026-34784 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34784?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.