GraphQL: Security breach on Viewer query

GHSA-236h-rqv8-8q73 · CVE-2020-15126

Published Jul 22, 2020 · Modified Mar 13, 2026

Description

Impact

An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Patches

This vulnerability has been patched in Parse Server 4.3.0.

Workarounds

References

See commit 78239ac for details.

References

WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-15126
WEB https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
WEB https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes