CVE-2026-34532
Prototype Pollution Bypass in Parse Server Cloud Function Access Controls
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | From 9.0.0 (inc) to 9.7.0 (exc) |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | to 8.6.67 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34532 is a critical vulnerability in the Parse Server, an open source backend for Node.js. The flaw allows attackers to bypass Cloud Function validator access controls by exploiting JavaScript prototype chain traversal. Specifically, when a Cloud Function handler is declared using the traditional function keyword and its validator is a plain object or arrow function, the system resolves the handler through its prototype chain but fails to do the same for the validator. This mismatch allows attackers to append ".prototype.constructor" to the function name in the URL and invoke protected Cloud Functions without passing required validations such as requireUser or requireMaster.
This prototype chain traversal attack lets unauthorized users execute Cloud Functions that should be protected, effectively bypassing access control enforcement. The vulnerability arises because the trigger store traversal resolves handlers through their prototype chain, but the validator store does not, allowing attackers to escape validation checks.
The issue has been patched in Parse Server versions 8.6.67 and 9.7.0-alpha.11 by modifying the trigger store traversal to ensure that each intermediate node is a legitimate store object and stopping traversal if a non-store value is encountered.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows unauthenticated attackers to invoke protected Cloud Functions without proper validation. This unauthorized access can lead to compromise of confidentiality and integrity of the system.
- Attackers can bypass access controls such as requireUser, requireMaster, or custom validation logic.
- Unauthorized execution of Cloud Functions may lead to data exposure or unauthorized data modification.
- The vulnerability has a high CVSS v4 base score of 9.1, indicating critical severity with network attack vector and no privileges or user interaction required.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests that attempt to invoke Cloud Functions with names appended by prototype chain traversal strings such as `.prototype` or `.prototype.constructor`.
Specifically, requests to URLs like `/functions/functionName.prototype.constructor` or `/functions/functionName.prototype` indicate attempts to exploit this vulnerability.
To detect such attempts on your network or system, you can use network monitoring or web server access logs to search for these patterns.
- Use grep or similar tools on your server logs to find suspicious requests, for example: `grep -E '/functions/.*\.prototype(\.constructor)?' /path/to/access.log`
- Set up intrusion detection system (IDS) rules to alert on HTTP requests containing `.prototype` or `.prototype.constructor` in the function name parameter.
Additionally, the patched Parse Server rejects such requests with HTTP 400 errors and specific error codes like `Parse.Error.SCRIPT_FAILED` and messages indicating "Invalid function", so monitoring for these error responses can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade your Parse Server to a patched version where this vulnerability is fixed.
- Upgrade to Parse Server version 8.6.67 or later, or 9.7.0-alpha.11 or later, where the vulnerability has been patched.
If immediate upgrade is not possible, a temporary workaround is to define Cloud Function handlers as arrow functions instead of using the traditional `function` keyword, since arrow functions do not have a `prototype` property and are not susceptible to this prototype chain traversal attack.
Additionally, monitor and block requests attempting to access Cloud Functions via `.prototype` or `.prototype.constructor` suffixes to reduce risk.
The patch also includes code changes that prevent prototype chain traversal by verifying that store objects have a null prototype, effectively blocking this attack vector.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34532 allows unauthenticated attackers to bypass access controls on Cloud Functions in Parse Server, potentially leading to unauthorized access and modification of sensitive data.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
By enabling attackers to invoke protected functions without proper validation, this vulnerability risks violating confidentiality and integrity requirements mandated by these regulations.