CVE-2026-34784
HIGH
8,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
285
Improper Authorization
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Access Control
Potential Impacts:
Read Application Data
Read Files Or Directories
Modify Application Data
Modify Files Or Directories
Gain Privileges Or Assume Identity
Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies:
Database Server, Not Technology-Specific, Web Server
https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed841…
https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d25…
https://github.com/parse-community/parse-server/pull/10361
https://github.com/parse-community/parse-server/pull/10362
https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9…