CVE-2026-30854

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30854
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9:*:*:*:node.js:*:*
History

10 Mar 2026, 16:52

Type Values Removed Values Added
References () https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw - () https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw - Vendor Advisory
CPE cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
First Time Parseplatform
Parseplatform parse-server
Summary
  • (es) Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Desde la versión 9.3.1-alpha.3 hasta antes de la versión 9.5.0-alpha.10, cuando graphQLPublicIntrospection está deshabilitado, las consultas __type anidadas dentro de fragmentos en línea (por ejemplo, ... on Query { __type(name:'User') { name } }) eluden el control de introspección, permitiendo a usuarios no autenticados realizar reconocimiento de tipos. La introspección de __schema no se ve afectada. Este problema ha sido parcheado en la versión 9.5.0-alpha.10.

07 Mar 2026, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-07 17:15

Updated : 2026-03-10 16:52

NVD link : CVE-2026-30854

Mitre link : CVE-2026-30854

CVE.ORG link : CVE-2026-30854

JSON object : View

Products Affected

parseplatform

  • parse-server
CWE
CWE-863

Incorrect Authorization