CVE-2026-31800

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-31800
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.25 Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12 Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*
History

11 Mar 2026, 18:30

Type Values Removed Values Added
References () https://github.com/parse-community/parse-server/releases/tag/8.6.25 - () https://github.com/parse-community/parse-server/releases/tag/8.6.25 - Product, Release Notes
References () https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12 - () https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12 - Product, Release Notes
References () https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c - () https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c - Patch, Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1
First Time Parseplatform
Parseplatform parse-server
CPE cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*

11 Mar 2026, 13:52

Type Values Removed Values Added
Summary
  • (es) Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.12 y 8.6.25, las clases internas _GraphQLConfig y _Audience podían ser leídas, modificadas y eliminadas a través de las rutas genéricas de la API REST /classes/_GraphQLConfig y /classes/_Audience sin autenticación de clave maestra. Esto elude la aplicación de la clave maestra que existe en los endpoints dedicados /graphql-config y /push_audiences. Un atacante puede leer, modificar y eliminar la configuración de GraphQL y los datos de audiencia de push. Esta vulnerabilidad está corregida en 9.5.2-alpha.12 y 8.6.25.

10 Mar 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-10 21:16

Updated : 2026-03-11 18:30

NVD link : CVE-2026-31800

Mitre link : CVE-2026-31800

CVE.ORG link : CVE-2026-31800

JSON object : View

Products Affected

parseplatform

  • parse-server
CWE
CWE-862

Missing Authorization