Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

GHSA-q5q9-2rhp-33qw · BIT-parse-2026-30854 · CVE-2026-30854

Published Mar 9, 2026 · Modified Mar 16, 2026

Description

Impact

When graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected.

Patches

The check was changed from a flat iteration over root-level selections to a recursive walk of all selection sets, detecting __type inside inline fragments at any depth.

Workarounds

Require master key authentication at the network layer (e.g. reverse proxy) for the GraphQL endpoint.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw
Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.10

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes