High severity8.8NVD Advisory· Published Mar 31, 2026· Updated Apr 2, 2026
CVE-2026-34373
CVE-2026-34373
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 9.0.0, < 9.7.0-alpha.10 | 9.7.0-alpha.10 |
parse-servernpm | >= 3.5.0, < 8.6.66 | 8.6.66 |
Affected products
12cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*+ 9 more
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*range: >=3.5.0,<8.6.66
- osv-coords2 versions
< 8.6.66+ 1 more
- (no CPE)range: < 8.6.66
- (no CPE)range: >= 9.0.0, < 9.7.0-alpha.10
Patches
Vulnerability mechanics
References
7- github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263nvdPatchWEB
- github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203nvdPatchWEB
- github.com/parse-community/parse-server/pull/10334nvdIssue TrackingPatchWEB
- github.com/parse-community/parse-server/pull/10335nvdIssue TrackingPatchWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829cnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-q3p6-g7c4-829cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34373ghsaADVISORY
News mentions
0No linked articles in our index yet.