CVE-2026-32886

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.24 Parse Server versions prior to 8.6.47

Description Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name. This crafted name traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The issue affects Parse Server, an open source backend deployable on Node.js infrastructures. The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. The vulnerable component is the cloud function handler. The attack is performed by calling a cloud function endpoint with a crafted function name.

Recommendations Update Parse Server to version 9.6.0-alpha.24 or later. Update Parse Server to version 8.6.47 or later.