CVE-2026-34373
CORS Bypass in Parse Server GraphQL API Allows Unauthorized Requests
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | From 9.0.0 (inc) to 9.7.0 (exc) |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | From 3.5.0 (inc) to 8.6.66 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CVE-2026-34373 allows the Parse Server's GraphQL API endpoint to bypass configured Cross-Origin Resource Sharing (CORS) origin restrictions, permitting cross-origin requests from any website. This could potentially expose the API to unauthorized access from untrusted origins.
Such unauthorized cross-origin requests may increase the risk of information disclosure or other security issues depending on the server configuration and usage. This risk could impact compliance with standards and regulations like GDPR or HIPAA, which require appropriate controls to protect personal and sensitive data from unauthorized access.
Therefore, until patched, this vulnerability could undermine the enforcement of access controls and data protection measures mandated by these regulations, potentially leading to non-compliance.
Can you explain this vulnerability to me?
CVE-2026-34373 is a security vulnerability in the Parse Server's GraphQL API endpoint where the endpoint did not properly enforce Cross-Origin Resource Sharing (CORS) origin restrictions configured via the allowOrigin server option.
Specifically, the GraphQL API endpoint allowed cross-origin requests from any website by responding with a wildcard ('*') or reflecting the request's Origin header without validating if the origin was authorized. This bypassed the intended origin restrictions that operators set to control which websites can interact with the Parse Server API.
The vulnerability was caused by the use of generic CORS middleware that did not enforce the configured allowed origins for the GraphQL endpoint, unlike the REST API which correctly enforced these restrictions.
The issue was fixed by replacing the generic CORS middleware with a custom middleware named allowCrossDomain that validates incoming request origins against the configured allowed origins and sets the appropriate CORS headers accordingly.
How can this vulnerability impact me? :
This vulnerability allows unauthorized cross-origin requests to the Parse Server's GraphQL API endpoint from any website, bypassing the configured origin restrictions.
As a result, malicious or untrusted websites could interact with the API without restriction, potentially leading to cross-origin attacks such as cross-site request forgery (CSRF) or unauthorized data access depending on the server's configuration and usage.
Although the REST API endpoint enforces origin restrictions correctly, the GraphQL endpoint's failure to do so increases the attack surface and could expose sensitive data or functionality to unauthorized parties.
The CVSS v4 base score is 5.3 (Moderate), indicating a moderate severity risk with low attack complexity and no privileges required for exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Parse Server's GraphQL API endpoint improperly allowing cross-origin requests from any origin, ignoring configured CORS allowOrigin restrictions.
To detect this vulnerability on your system, you can test the GraphQL API endpoint by sending HTTP requests with different Origin headers and inspecting the Access-Control-Allow-Origin response header.
- Use curl to send a request with a custom Origin header and check if the Access-Control-Allow-Origin header reflects the Origin or is set to '*'. For example:
- curl -H "Origin: http://malicious.example.com" -I https://your-parse-server/graphql
- If the response header Access-Control-Allow-Origin is '*' or reflects the Origin header without validating it against allowed origins, the server is vulnerable.
- Similarly, test preflight OPTIONS requests:
- curl -X OPTIONS -H "Origin: http://malicious.example.com" -H "Access-Control-Request-Method: POST" -I https://your-parse-server/graphql
If unauthorized origins are accepted and reflected in the Access-Control-Allow-Origin header, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade your Parse Server to a patched version where this vulnerability is fixed.
- Upgrade to Parse Server version 8.6.66 or later, or 9.7.0-alpha.10 or later, where the GraphQL API endpoint correctly enforces the allowOrigin CORS restrictions.
No known workarounds exist other than upgrading to a patched version.
The fix involves replacing the generic CORS middleware with a custom middleware that properly validates the Origin header against configured allowed origins, ensuring unauthorized cross-origin requests are blocked.
Until you can upgrade, consider restricting access to the GraphQL endpoint via network-level controls such as firewall rules or reverse proxy configurations to limit requests to trusted origins or IP addresses.