Moderate severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
CVE-2026-30854
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 9.3.1-alpha.3, < 9.5.0-alpha.10 | 9.5.0-alpha.10 |
Affected products
1- Range: >= 9.3.1-alpha.3, < 9.5.0-alpha.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-q5q9-2rhp-33qwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30854ghsaADVISORY
- github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.