PT-2026-29335 · Unknown+2 · Parse Server+2
Offset
·
Published
2026-03-31
·
Updated
2026-04-06
·
CVE-2026-34784
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 8.6.71 and 9.7.1-alpha.1
Description
Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue where file downloads via HTTP Range requests bypass the
afterFind(Parse.File) trigger and its validators on storage adapters supporting streaming, such as the default GridFS adapter. This bypass allows access to files that should be protected by afterFind trigger authorization logic or built-in validators like requireUser.Recommendations
Update to Parse Server version 8.6.71 or later.
Update to Parse Server version 9.7.1-alpha.1 or later.
Exploit
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gridfs
Node.Js
Parse Server