CVE-2026-34373

MEDIUM EPSS 10.2%
Published Mar 31, 20263mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Mar 31, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
10.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-346

Affected Products 11

VendorProductVersionRange
parseplatformparse-server*≥3.5.0  –  <8.6.66
parseplatformparse-server*≥9.0.0  –  <9.7.0
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any

References 5

  • github.com https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10334
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10335
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c
    PatchVendor Advisory

Remediation

  • github.com https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10334
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10335
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c
    PatchVendor Advisory