Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.9

Parse Server GraphQL Introspection Bypass

CVE-2026-30854 GHSA-q5q9-2rhp-33qw
Summary

An attacker can use Parse Server to gather sensitive information about your application's schema without authentication. This issue has been fixed in version 9.5.0-alpha.10. To protect your application, update to this version or later.

What to do
  • Update parse-server to version 9.5.0-alpha.10.
Affected software
VendorProductAffected versionsFix available
parse-server > 9.3.1-alpha.3 , <= 9.5.0-alpha.10 9.5.0-alpha.10
parseplatform parse-server > 9.4.0 , <= 9.5.0
parseplatform parse-server 9.3.1
parseplatform parse-server 9.3.1
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
Original title
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection ...
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10.
nvd CVSS4.0 6.9
Vulnerability type
CWE-863 Incorrect Authorization
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026