CVE-2026-30854

Name of the Vulnerable Software and Affected Versions Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.10

Description Parse Server, an open source backend deployable on Node.js infrastructures, contains an issue where disabling graphQLPublicIntrospection does not fully prevent unauthenticated users from performing type reconnaissance. Specifically, type queries nested within inline fragments can bypass introspection controls. The schema introspection functionality remains unaffected. The issue occurs when graphQLPublicIntrospection is disabled and allows attackers to gather information about the server's schema. The vulnerable queries utilize the type function within inline fragments, such as ... on Query { type(name:"User") { name } }.

Recommendations Update to Parse Server version 9.5.0-alpha.10 or later.