Parse Server: Cloud function validator bypass via prototype chain traversal
Summary
| CVE | CVE-2026-34532 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-31 15:16:20 UTC |
| Updated | 2026-04-01 14:24:02 UTC |
| Description | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11. |
Risk And Classification
Primary CVSS: v4.0 9.1 CRITICAL from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000440000 probability, percentile 0.134730000 (date 2026-04-01)
Problem Types: CWE-863 | CWE-863 CWE-863: Incorrect Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 9.1 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 9.1 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Parse-community | Parse-server | affected < 8.6.67 | Not specified |
| CNA | Parse-community | Parse-server | affected >= 9.0.0, < 9.7.0-alpha.11 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/parse-community/parse-server/pull/10343 | [email protected] | github.com | |
| github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f686... | [email protected] | github.com | |
| github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883... | [email protected] | github.com | |
| github.com/parse-community/parse-server/pull/10342 | [email protected] | github.com | |
| github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.