CVE-2026-32944

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.21 and 8.6.45

Description Parse Server is an open source backend deployable on Node.js infrastructures. An unauthenticated attacker can disrupt service by sending a request containing deeply nested query condition operators, causing the Parse Server process to terminate and denying service to connected clients. The issue is addressed by adding a depth limit for query condition operator nesting via the requestComplexity.queryDepth server option, which is disabled by default.

Recommendations Parse Server versions prior to 9.6.0-alpha.21 should be upgraded to version 9.6.0-alpha.21 or later. Parse Server versions prior to 8.6.45 should be upgraded to version 8.6.45 or later. After upgrading, enable the requestComplexity.queryDepth server option and set it to a value appropriate for your application.