{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T06:40:34.625","vulnerabilities":[{"cve":{"id":"CVE-2026-31800","sourceIdentifier":"security-advisories@github.com","published":"2026-03-10T21:16:49.683","lastModified":"2026-03-11T18:30:54.260","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25."},{"lang":"es","value":"Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.12 y 8.6.25, las clases internas _GraphQLConfig y _Audience podían ser leídas, modificadas y eliminadas a través de las rutas genéricas de la API REST /classes/_GraphQLConfig y /classes/_Audience sin autenticación de clave maestra. Esto elude la aplicación de la clave maestra que existe en los endpoints dedicados /graphql-config y /push_audiences. Un atacante puede leer, modificar y eliminar la configuración de GraphQL y los datos de audiencia de push. Esta vulnerabilidad está corregida en 9.5.2-alpha.12 y 8.6.25."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionEndExcluding":"8.6.25","matchCriteriaId":"6639CFFD-DB7D-41C2-92AA-7B13FA257916"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.5.2","matchCriteriaId":"E66572ED-597B-4D8E-A636-733D463A4E4D"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*","matchCriteriaId":"E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*","matchCriteriaId":"79CCA374-1498-4651-9FF9-F0B73D76CEB9"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*","matchCriteriaId":"2EEA21BC-9699-4625-9319-5C687219C716"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*","matchCriteriaId":"6521B8A9-6116-4CAE-9B5E-F22C204B1F0C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*","matchCriteriaId":"601B2CF1-D29A-42CC-8405-185C1A8E1EB2"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*","matchCriteriaId":"BC9F2B9D-026F-454B-B565-05AA441FA54F"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*","matchCriteriaId":"FDDB20F1-F6A7-4B1E-B075-CC250613D826"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*","matchCriteriaId":"CA14D0B7-B952-4C4E-B271-3EBB51C03E9C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*","matchCriteriaId":"19B7C5A9-B59A-4A47-B4F0-13C7C796B496"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*","matchCriteriaId":"0E619B8B-BC91-4F71-B84D-52E563AB8E03"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*","matchCriteriaId":"6C9DB980-4201-43D3-B019-2A6B325B896E"}]}]}],"references":[{"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.25","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}