CVE-2026-34532CRITICAL 9.1EPSS p19.3%

CVE-2026-34532CVE-2026-34532

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.28% probability of exploitation · percentile 19.3% · 2026-06-19T12:03:05Z
Published2026-03-31
Last modified2026-04-02

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7
  2. https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674
  3. https://github.com/parse-community/parse-server/pull/10342
  4. https://github.com/parse-community/parse-server/pull/10343
  5. https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33409
CVE
CVE-2026-32248
CVE
CVE-2026-30967
CVE
CVE-2026-34373
CVE
CVE-2026-31800
CVE
CVE-2026-30965
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.