Parse Server: Unsecured Access to GraphQL and Audience Data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

Parse Server: Unsecured Access to GraphQL and Audience Data

CVE-2026-31800 GHSA-7xg7-rqf6-pw6c

Summary

Parse Server's internal classes can be accessed without a master key, allowing attackers to read, modify, and delete sensitive GraphQL configuration and push audience data. This affects versions of Parse Server prior to 9.5.2-alpha.12 and 8.6.25. To fix the issue, update to the latest version of Parse Server.

What to do

Update parse-server to version 9.5.2-alpha.12.
Update parse-server to version 8.6.25.

Affected software

Vendor	Product	Affected versions	Fix available
–	parse-server	> 9.0.0-alpha.1 , <= 9.5.2-alpha.12	9.5.2-alpha.12
–	parse-server	<= 8.6.25	8.6.25
parseplatform	parse-server	<= 8.6.25	–
parseplatform	parse-server	> 9.0.0 , <= 9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–

Original title

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Original description

### Impact

The `_GraphQLConfig` and `_Audience` internal classes can be read, modified, and deleted via the generic `/classes/_GraphQLConfig` and `/classes/_Audience` REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated `/graphql-config` and `/push_audiences` endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data.

### Patches

The fix adds the affected internal classes to the `classesWithMasterOnlyAccess` list, ensuring that the generic `/classes/` routes enforce master key access consistently with the dedicated endpoints.

### Workarounds

There is no known workaround.

### References

- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.25

nvd CVSS4.0 8.8

Vulnerability type

CWE-862 Missing Authorization

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026