Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30854 is a vulnerability in the parse-server npm package versions from 9.3.1-alpha.3 up to but not including 9.5.0-alpha.10. It involves a bypass of GraphQL introspection controls when the graphQLPublicIntrospection setting is disabled.'}, {'type': 'paragraph', 'content': 'Specifically, unauthenticated users can perform __type introspection queries nested inside inline fragments (for example, ... on Query { __type(name:"User") { name } }) which bypasses the intended restriction on public introspection. This happens because the system only checked for __type queries at the top level and did not recursively inspect nested inline fragments.'}, {'type': 'paragraph', 'content': 'The __schema introspection remains unaffected by this vulnerability. The root cause is an incorrect authorization check (CWE-863) that failed to detect __type queries inside nested inline fragments.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated users to perform type reconnaissance on the GraphQL API by bypassing introspection controls, which can reveal information about the data types and schema structure.

The impact is limited to a low confidentiality loss since no integrity or availability of the system is affected. No privileges or user interaction are required to exploit this vulnerability, and the attack complexity is low with a network-based attack vector.

Workarounds include enforcing master key authentication at the network layer, such as via a reverse proxy, to protect the GraphQL endpoint.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves GraphQL introspection bypass via inline fragments when the graphQLPublicIntrospection setting is disabled. To detect it, you can monitor network traffic or logs for GraphQL queries that include __type introspection queries nested inside inline fragments, such as: ...on Query { __type(name:"User") { name } }.'}, {'type': 'paragraph', 'content': 'Since the attack vector is network-based and requires no privileges or user interaction, inspecting GraphQL requests to the parse-server endpoint for such nested __type queries can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': "A suggested command to detect such queries in logs or live traffic might be to use grep or similar tools to search for the pattern '__type' inside GraphQL queries, for example:"}, {'type': 'list_item', 'content': "grep -r '__type' /path/to/parse-server/logs"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 1337' | grep '__type'"}, {'type': 'paragraph', 'content': "Replace 'tcp port 1337' with the actual port your parse-server GraphQL endpoint listens on. These commands help identify if unauthorized __type introspection queries nested inside inline fragments are being sent."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability was fixed in parse-server version 9.5.0-alpha.10. The immediate step is to upgrade your parse-server to version 9.5.0-alpha.10 or later.

If upgrading immediately is not possible, a recommended workaround is to enforce master key authentication at the network layer, for example by using a reverse proxy to restrict access to the GraphQL endpoint.

This will help prevent unauthenticated users from performing the unauthorized __type introspection queries that bypass the graphQLPublicIntrospection setting.

Useful 0 Not Useful 0