Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Parse Server GraphQL WebSocket endpoint security risk
GHSA-p2x3-8689-cwpg
CVE-2026-32594
Summary
Any Parse Server deployment using GraphQL is at risk of unauthorized access. An attacker can bypass security checks and execute complex queries without a valid key. To protect your server, block WebSocket requests to the GraphQL subscriptions path at the network level.
What to do
- Update parse-server to version 9.6.0-alpha.14.
- Update parse-server to version 8.6.40.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0 , <= 9.6.0-alpha.14 | 9.6.0-alpha.14 |
| – | parse-server | <= 8.0.0 | 8.6.40 |
Original title
Parse Server's GraphQL WebSocket endpoint bypasses security middleware
Original description
### Impact
Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits.
### Patches
The unfinished GraphQL WebSocket subscription feature has been removed, including the `createSubscriptions` method and the `subscriptions-transport-ws` dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types.
### Workarounds
Block WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule.
Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits.
### Patches
The unfinished GraphQL WebSocket subscription feature has been removed, including the `createSubscriptions` method and the `subscriptions-transport-ws` dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types.
### Workarounds
Block WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-306
Missing Authentication for Critical Function
- https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-86...
- https://github.com/parse-community/parse-server/pull/10189
- https://github.com/parse-community/parse-server/pull/10190
- https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a...
- https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f...
- https://github.com/advisories/GHSA-p2x3-8689-cwpg
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026