CVE-2026-30854: GraphQL Introspection Authorization Bypass in Parse Server
Vulnerability ID: CVE-2026-30854
CVSS Score: 6.9
Published: 2026-03-09
Parse Server fails to adequately restrict GraphQL introspection queries when the graphQLPublicIntrospection setting is disabled. An unauthenticated attacker can bypass the restriction by nesting __type queries within inline fragments, allowing unauthorized discovery of the database schema.
TL;DR
A flaw in Parse Server's GraphQL AST parsing allows attackers to bypass introspection limits using nested inline fragments, resulting in unauthorized schema disclosure.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS v4.0 Score: 6.9
- EPSS Score: 0.00065
- Impact: Schema Information Disclosure
- Exploit Status: Proof-of-Concept Available
- CISA KEV: No
Affected Systems
- Parse Server (Node.js backend)
-
Parse Server: >= 9.3.1-alpha.3, < 9.5.0-alpha.10 (Fixed in:
9.5.0-alpha.10)
Exploit Details
- GitHub Security Advisory: Official advisory containing the GraphQL payload structure used to trigger the bypass.
Mitigation Strategies
- Upgrade Parse Server to version 9.5.0-alpha.10 or newer.
- Implement WAF rules to block GraphQL queries containing '__type' if public introspection is not required.
- Enforce authentication at the network layer for the /graphql endpoint.
Remediation Steps:
- Verify the current version of parse-server deployed in the environment.
- Update the package.json dependency for parse-server to '>=9.5.0-alpha.10'.
- Run 'npm install' or 'yarn install' to pull the patched version.
- Execute the test suite to ensure no regressions in legitimate GraphQL API usage.
- Deploy the updated application to the production environment.
References
Read the full report for CVE-2026-30854 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)