Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 9.0.0-alpha.1, < 9.5.2-alpha.12 | 9.5.2-alpha.12 |
parse-servernpm | < 8.6.25 | 8.6.25 |
Affected products
1- Range: >= 9.0.0 < 9.5.2-alpha.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7xg7-rqf6-pw6cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31800ghsaADVISORY
- github.com/parse-community/parse-server/releases/tag/8.6.25ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.