Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
GHSA-7xg7-rqf6-pw6c · BIT-parse-2026-31800 · CVE-2026-31800
Published · Modified
Description
Impact
The _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data.
Patches
The fix adds the affected internal classes to the classesWithMasterOnlyAccess list, ensuring that the generic /classes/ routes enforce master key access consistently with the dedicated endpoints.
Workarounds
There is no known workaround.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.25
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-31800
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/8.6.25
- WEB https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12
Ready to move
Start Securing
Free, no credit card | First findings in minutes