CVE-2026-31800
Received Received - Intake
Unauthorized Access in Parse Server REST API Allows Config Manipulation

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-05-09
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-07
NVD
CVE-2026-31800
EUVD
EUVD-2026-10888
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Parse Server to version 9.5.2-alpha.12 or later, or 8.6.25 or later, where the issue is fixed.


Can you explain this vulnerability to me?

This vulnerability affects Parse Server versions prior to 9.5.2-alpha.12 and 8.6.25. The issue is that the internal classes _GraphQLConfig and _Audience can be accessed via the generic REST API routes /classes/_GraphQLConfig and /classes/_Audience without requiring master key authentication.

Because of this, an attacker can read, modify, and delete GraphQL configuration and push audience data through these endpoints, bypassing the master key enforcement that is supposed to protect these resources on the dedicated /graphql-config and /push_audiences endpoints.

This vulnerability allows unauthorized access and manipulation of sensitive backend configuration data.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can read, modify, and delete critical backend configuration data related to GraphQL and push audiences without authentication.

This can lead to unauthorized data exposure, disruption of backend services, manipulation of application behavior, and potential loss or corruption of data.

Overall, it compromises the integrity and confidentiality of the backend system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart