CVE-2026-30946
Received Received - Intake
Resource Exhaustion in Parse Server REST and GraphQL APIs

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30946
EUVD
EUVD-2026-10862
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Parse Server, an open source backend that runs on Node.js. Prior to versions 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exploit the lack of complexity limits in the REST and GraphQL APIs by sending specially crafted queries. These queries can exhaust server resources such as CPU, memory, and database connections.


How can this vulnerability impact me? :

The impact of this vulnerability is a potential denial of service condition. An attacker can exhaust critical server resources without authentication, which can degrade or completely disrupt the availability of the Parse Server backend, affecting any applications relying on it.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.2 or later if you are using the 9.x branch, or to version 8.6.15 or later if you are using the 8.x branch.

This update fixes the issue where unauthenticated attackers could exhaust server resources through crafted queries exploiting the lack of complexity limits in the REST and GraphQL APIs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart