Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
Parse Server Denial-of-Service via Unbounded Queries
CVE-2026-30946
GHSA-cmj3-wx7h-ffvg
GHSA-cmj3-wx7h-ffvg
Summary
Parse Server's REST and GraphQL APIs can be overwhelmed by complex queries. This can happen if an attacker sends a specially crafted query that doesn't have any limits. All Parse Server users who use the REST or GraphQL API are affected. To fix this, Parse Server's developers have added limits to the complexity of queries. You can adjust these limits by changing server options. If you don't set these options, the default limits will apply. Some requests, like those made with special keys, won't be affected by these limits. Unfortunately, there's no workaround for this issue. You'll need to update to a fixed version of Parse Server to protect your server from denial-of-service attacks.
What to do
- Update parse-server to version 8.6.15.
- Update parse-server to version 9.5.2-alpha.2.
- Update parse to version 9.5.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | <= 8.6.15 | 8.6.15 |
| – | parse-server | > 9.0.0 , <= 9.5.2-alpha.2 | 9.5.2-alpha.2 |
| parseplatform | parse-server | <= 8.6.15 | – |
| parseplatform | parse-server | > 9.0.0 , <= 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| – | parse | > 9.0.0 , <= 9.5.2 | 9.5.2 |
Original title
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
nvd CVSS4.0
8.7
Vulnerability type
CWE-770
Allocation of Resources Without Limits
- https://github.com/parse-community/parse-server/releases/tag/8.6.15
- https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2
- https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx...
- https://nvd.nist.gov/vuln/detail/CVE-2026-30946
- https://github.com/advisories/GHSA-cmj3-wx7h-ffvg
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30946... Vendor Advisory
- https://github.com/parse-community/parse-server Product
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026