CVE-2026-31800

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.12 Parse Server versions prior to 8.6.25

Description Parse Server, an open-source backend deployable on Node.js infrastructures, contains an issue where the internal GraphQLConfig and Audience classes are accessible, modifiable, and deletable through the /classes/ GraphQLConfig and /classes/ Audience REST API routes without requiring master key authentication. This circumvents the master key enforcement present in the dedicated /graphql-config and /push audiences API endpoints. An attacker could potentially read, modify, and delete GraphQL configuration and push audience data. The affected API endpoints are /classes/ GraphQLConfig and /classes/ Audience.

Recommendations Update to Parse Server version 9.5.2-alpha.12 or later. Update to Parse Server version 8.6.25 or later.