CVE-2026-31800
Received Received - Intake
Unauthorized Access in Parse Server REST API Allows Config Manipulation

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-19
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-31800
EUVD
EUVD-2026-10888
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

I don't know

Executive Summary

This vulnerability affects Parse Server versions prior to 9.5.2-alpha.12 and 8.6.25. The issue is that the internal classes _GraphQLConfig and _Audience can be accessed via the generic REST API routes /classes/_GraphQLConfig and /classes/_Audience without requiring master key authentication.

Because of this, an attacker can read, modify, and delete GraphQL configuration and push audience data through these endpoints, bypassing the master key enforcement that is supposed to protect these resources on the dedicated /graphql-config and /push_audiences endpoints.

This vulnerability allows unauthorized access and manipulation of sensitive backend configuration data.

Impact Analysis

An attacker exploiting this vulnerability can read, modify, and delete critical backend configuration data related to GraphQL and push audiences without authentication.

This can lead to unauthorized data exposure, disruption of backend services, manipulation of application behavior, and potential loss or corruption of data.

Overall, it compromises the integrity and confidentiality of the backend system.

Compliance Impact

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Parse Server to version 9.5.2-alpha.12 or later, or 8.6.25 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart