CVE-2026-34373
MEDIUM
5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: passive
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
346
Origin Validation Error
DraftCommon Consequences
Security Scopes Affected:
Other
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Varies By Context
Applicable Platforms
Technologies:
Not Technology-Specific, Web Based
https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7…
https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10…
https://github.com/parse-community/parse-server/pull/10334
https://github.com/parse-community/parse-server/pull/10335
https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g…