PT-2026-29167 · Unknown · Parse Server

Mtrezza

Published

2026-03-30

Updated

2026-04-06

CVE-2026-34373

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.66 Parse Server versions prior to 9.7.0-alpha.10

Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the GraphQL API endpoint does not enforce the allowOrigin server option, unconditionally allowing cross-origin requests from any website. This bypasses origin restrictions configured by operators to control website interactions with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. The issue affects the ''/graphql'' API endpoint.

Recommendations Upgrade to Parse Server version 8.6.66 or later. Upgrade to Parse Server version 9.7.0-alpha.10 or later.

Exploit

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

BIT-PARSE-2026-34373

CVE-2026-34373

GHSA-Q3P6-G7C4-829C

Affected Products

Parse Server

PT-2026-29167 · Unknown · Parse Server

CVE-2026-34373

Weakness Enumeration

Related Identifiers

Affected Products

References · 13