CVE-2026-34532

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.67 Parse Server versions prior to 9.7.0-alpha.11

Description Parse Server is an open source backend deployable on Node.js infrastructures. An attacker can bypass Cloud Function validator access controls by appending prototype.constructor to the function name in the URL. This occurs when a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function. The trigger store traversal resolves the handler through its prototype chain, while the validator store does not mirror this traversal, effectively skipping all access control enforcement. This allows unauthenticated callers to invoke Cloud Functions protected by validators like requireUser, requireMaster, or custom validation logic.

Recommendations Update Parse Server to version 8.6.67 or later. Update Parse Server to version 9.7.0-alpha.11 or later.