CVE-2026-32944
Received Received - Intake
Denial of Service via Deeply Nested Queries in Parse Server

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32944
Affected Vendors & Products
Showing 22 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server to 8.6.45 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Parse Server to version 9.6.0-alpha.21 or 8.6.45 or later.

After upgrading, enable and configure the `requestComplexity.queryDepth` server option to set a depth limit for query condition operator nesting appropriate for your application.

Note that this option is disabled by default to avoid breaking changes, so it must be explicitly enabled.

No known workarounds are available.

Executive Summary

This vulnerability affects Parse Server, an open source backend for Node.js. Before versions 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker could send a single request containing deeply nested query condition operators that would crash the Parse Server process. This crash terminates the server, causing a denial of service to all connected clients.

To address this, a depth limit for query condition operator nesting was introduced via the `requestComplexity.queryDepth` server option starting in the fixed versions. However, this option is disabled by default to avoid breaking changes, so upgrading and enabling this option with an appropriate value is necessary to mitigate the issue.

Impact Analysis

The vulnerability can cause a denial of service (DoS) by crashing the Parse Server process when it receives a specially crafted request with deeply nested query conditions. This results in the server terminating and all connected clients losing service until the server is restarted or fixed.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart