CVE-2026-47248
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 9.0.0, < 9.9.1-alpha.2 | 9.9.1-alpha.2 |
parse-servernpm | < 8.6.78 | 8.6.78 |
Affected products
2- Range: < 8.6.78
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-8cph-rgr4-g5vjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-47248ghsaADVISORY
- github.com/parse-community/parse-server/pull/10467nvdWEB
- github.com/parse-community/parse-server/pull/10468nvdWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vjnvdWEB
News mentions
0No linked articles in our index yet.