CVE-2026-34784
Unauthorized File Access via HTTP Range Bypass in Parse Server
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | to 8.6.71 (exc) |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to files that should be protected by authorization logic in the Parse Server backend.
- Attackers can use HTTP Range requests to bypass authorization checks and download partial or full content of protected files.
- Sensitive or confidential files stored using streaming-capable storage adapters (like GridFS) may be exposed to unauthorized users.
- This unauthorized access can compromise data confidentiality and potentially lead to data leaks.
Overall, the vulnerability poses a high risk to the confidentiality of protected files in applications using vulnerable versions of Parse Server.
Can you explain this vulnerability to me?
CVE-2026-34784 is a security vulnerability in Parse Server, an open source backend for Node.js. The issue occurs because file downloads using HTTP Range requests (streaming downloads) bypass the afterFind(Parse.File) trigger, which is responsible for enforcing authorization and validation logic on file access.
This means that unauthorized users could access protected files by exploiting ranged (streaming) download requests, circumventing the intended access controls such as requireUser validators or custom authorization logic defined in the afterFind trigger.
The root cause was that while the afterFind trigger was invoked for streaming downloads, its results (including access denial or response header modifications) were ignored, allowing the server to stream file content without proper authorization checks.
The vulnerability was fixed by ensuring that the afterFind trigger is properly executed and enforced on all file downloads, including ranged streaming requests. This includes resolving user authentication from session tokens and applying trigger-based access controls before streaming any file data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA because it allows unauthorized access to protected files containing potentially sensitive personal or health information.
By bypassing authorization controls, the vulnerability undermines the confidentiality and access control requirements mandated by these regulations.
Organizations using affected Parse Server versions may face increased risk of data breaches, which can lead to regulatory penalties, legal liabilities, and reputational damage.
Applying the patch that enforces proper authorization on all file downloads is essential to maintain compliance and protect sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to files via HTTP Range requests that bypass the afterFind(Parse.File) trigger authorization in Parse Server. To detect exploitation attempts on your network or system, you should monitor HTTP requests for file downloads that include the Range header, especially those lacking valid session tokens or authorization headers.
Suggested detection commands or methods include:
- Use network traffic analysis tools (e.g., tcpdump, Wireshark) to filter HTTP GET requests with Range headers targeting your Parse Server file endpoints.
- Example tcpdump command to capture HTTP Range requests: tcpdump -i <interface> 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -A | grep -i 'Range:'
- Check server logs for file download requests that include the Range header but lack valid X-Parse-Session-Token headers or show HTTP 200/206 responses without proper authorization.
- Use curl or similar tools to test file downloads with and without session tokens and Range headers to verify if unauthorized ranged requests are allowed.
Note that the vulnerability specifically affects streaming file downloads that bypass the afterFind trigger authorization, so focusing on ranged HTTP requests and session token validation is key.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-34784, you should immediately upgrade your Parse Server deployment to a patched version where this vulnerability is fixed.
- Upgrade to Parse Server version 8.6.71 or later, or 9.7.1-alpha.1 or later, where the afterFind trigger authorization is properly enforced on streaming file downloads.
- If immediate upgrade is not possible, as a temporary workaround, use the beforeFind(Parse.File) trigger for file access authorization, since it runs on all download paths including streaming, thereby enforcing access control.
- Review and ensure that your file triggers (afterFind and beforeFind) properly validate user sessions and enforce authorization logic.
- Monitor and restrict HTTP Range requests to file endpoints if feasible, to reduce the risk of unauthorized ranged downloads.
These steps will help prevent unauthorized access to protected files via streaming downloads until the official patch is applied.