Parser Server's streaming file download bypasses afterFind file trigger authorization
GHSA-hpm8-9qx6-jvwv · BIT-parse-2026-34784 · CVE-2026-34784
Published · Modified
Description
Impact
File downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser.
Patches
The streaming file download path now executes the afterFind(Parse.File) trigger before sending any data. Authentication is resolved from the session token header so that trigger validators can distinguish authenticated from unauthenticated requests.
Workarounds
Use beforeFind(Parse.File) instead of afterFind(Parse.File) for file access authorization. The beforeFind trigger runs on all download paths including streaming.
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34784
- WEB https://github.com/parse-community/parse-server/pull/10361
- WEB https://github.com/parse-community/parse-server/pull/10362
- WEB https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337
- WEB https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22
- PACKAGE https://github.com/parse-community/parse-server
Ready to move
Start Securing
Free, no credit card | First findings in minutes