CVE-2026-30946
Received Received - Intake
Resource Exhaustion in Parse Server REST and GraphQL APIs

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30946
EUVD
EUVD-2026-10862
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Parse Server, an open source backend that runs on Node.js. Prior to versions 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exploit the lack of complexity limits in the REST and GraphQL APIs by sending specially crafted queries. These queries can exhaust server resources such as CPU, memory, and database connections.

Impact Analysis

The impact of this vulnerability is a potential denial of service condition. An attacker can exhaust critical server resources without authentication, which can degrade or completely disrupt the availability of the Parse Server backend, affecting any applications relying on it.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.2 or later if you are using the 9.x branch, or to version 8.6.15 or later if you are using the 8.x branch.

This update fixes the issue where unauthenticated attackers could exhaust server resources through crafted queries exploiting the lack of complexity limits in the REST and GraphQL APIs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart