PT-2026-29167 · Unknown · Parse Server

Mtrezza

Publicado

2026-03-30

Atualizado

2026-04-06

CVE-2026-34373

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.66 Parse Server versions prior to 9.7.0-alpha.10

Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the GraphQL API endpoint does not enforce the allowOrigin server option, unconditionally allowing cross-origin requests from any website. This bypasses origin restrictions configured by operators to control website interactions with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. The issue affects the ''/graphql'' API endpoint.

Recommendations Upgrade to Parse Server version 8.6.66 or later. Upgrade to Parse Server version 9.7.0-alpha.10 or later.

Exploit

Correção

Origin Validation Error

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-346

Identificadores relacionados

BIT-PARSE-2026-34373

CVE-2026-34373

GHSA-Q3P6-G7C4-829C

Produtos afetados

Parse Server

PT-2026-29167 · Unknown · Parse Server

CVE-2026-34373

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13