{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-12T12:19:44.391","vulnerabilities":[{"cve":{"id":"CVE-2026-32594","sourceIdentifier":"security-advisories@github.com","published":"2026-03-16T14:19:38.667","lastModified":"2026-03-17T18:06:40.090","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14."},{"lang":"es","value":"Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 8.6.40 y 9.6.0-alpha.14, el endpoint GraphQL WebSocket para suscripciones no pasa las solicitudes a través de la cadena de middleware de Express que aplica la autenticación, el control de introspección y los límites de complejidad de las consultas. Un atacante puede conectarse al endpoint WebSocket y ejecutar operaciones GraphQL sin proporcionar una aplicación o clave API válida, acceder al esquema GraphQL a través de la introspección incluso cuando la introspección pública está deshabilitada, y enviar consultas arbitrariamente complejas que eluden los límites de complejidad configurados. Esta vulnerabilidad está corregida en 8.6.40 y 9.6.0-alpha.14."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-306"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionEndExcluding":"8.6.40","matchCriteriaId":"A70525A7-4834-41AF-8BA6-D308DF3387F9"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.6.0","matchCriteriaId":"1BAC01F8-0899-482C-8D91-64671BF2859A"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*","matchCriteriaId":"BBED261F-CA1B-44BC-9C3A-37378590EFEE"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*","matchCriteriaId":"418338C9-6AEC-492C-ACA4-9B3C0AAE149C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*","matchCriteriaId":"808B6482-BF8E-407D-8462-E757657CC323"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*","matchCriteriaId":"B84C28F8-AADE-41BB-A0EF-B701AB57DC3A"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*","matchCriteriaId":"7567BB81-7837-4265-B792-6A9B73CECF93"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*","matchCriteriaId":"EDC98AF7-8620-4A25-9BE5-623672599677"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*","matchCriteriaId":"DF340605-8CC8-4543-9F5D-E8602D258CED"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*","matchCriteriaId":"A052DFCA-EDCC-43D7-82C7-E5311F6F7687"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*","matchCriteriaId":"12B11714-B961-4330-B241-FC5AF94FDBE8"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*","matchCriteriaId":"37A7C42B-4986-4BB6-BB27-0324A9AA1CFF"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*","matchCriteriaId":"C793834B-64B4-4DE9-BD7D-79B52C30C34E"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*","matchCriteriaId":"7AD455C8-88BE-4A0A-B33D-3A7811FFB753"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*","matchCriteriaId":"26C475A2-997C-4C3A-8CB6-04AB3534BBC3"}]}]}],"references":[{"url":"https://github.com/parse-community/parse-server/pull/10189","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/parse-community/parse-server/pull/10190","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg","source":"security-advisories@github.com","tags":["Mitigation","Patch","Vendor Advisory"]}]}}]}