TROYANOSYVIRUS
Back to CVEs

CVE-2026-34532

CRITICAL
9.1

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.

CVE Details

CVSS v3.1 Score9.1
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published3/31/2026
Last Modified4/2/2026
Sourcenvd
Honeypot Sightings0

Affected Products

parseplatform:parse-server

Weaknesses (CWE)

CWE-863

References

https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7(security-advisories@github.com)
https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674(security-advisories@github.com)
https://github.com/parse-community/parse-server/pull/10342(security-advisories@github.com)
https://github.com/parse-community/parse-server/pull/10343(security-advisories@github.com)
https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6(security-advisories@github.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.