CVE-2026-30854

EPSS 0.28%
Veröffentlicht 07.03.2026 16:24:10
Zuletzt bearbeitet 10.03.2026 16:52:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 12 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.4.0 < 9.5.0

Parseplatform ≫ Parse-server Version9.3.1 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.3.1 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.193

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-30854

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-30854

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-30854

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-30854