UNKNOWN npm
GraphQL API endpoint ignores CORS origin restriction
GHSA-q3p6-g7c4-829c · BIT-parse-2026-34373 · CVE-2026-34373
Published · Modified
Description
Impact
The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction.
Patches
The GraphQL API endpoint now uses the same CORS middleware as the REST API, ensuring the allowOrigin and allowHeaders server options are consistently enforced across all endpoints.
Workarounds
There is no known workaround other than upgrading.
Resources
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10334
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10335
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34373
- WEB https://github.com/parse-community/parse-server/pull/10334
- WEB https://github.com/parse-community/parse-server/pull/10335
- WEB https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263
- WEB https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203
- PACKAGE https://github.com/parse-community/parse-server
Ready to move
Start Securing
Free, no credit card | First findings in minutes