CVE-2026-32594

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.40 Parse Server versions prior to 9.6.0-alpha.14

Description Parse Server, an open-source backend deployable on Node.js infrastructures, is affected by an issue in the GraphQL WebSocket endpoint for subscriptions. Prior to fixes, this endpoint did not enforce authentication, introspection control, or query complexity limits through the standard Express middleware chain. This allowed attackers to connect to the WebSocket endpoint and execute GraphQL operations without valid API keys, access the GraphQL schema even with public introspection disabled, and bypass query complexity limits by sending arbitrarily complex queries.

Recommendations Versions prior to 8.6.40 should be updated to version 8.6.40 or later. Versions prior to 9.6.0-alpha.14 should be updated to version 9.6.0-alpha.14 or later. Block WebSocket upgrade requests to the GraphQL subscriptions path (by default /subscriptions) at the network level, for example using a reverse proxy or load balancer rule.