CVE-2026-34373

EPSS 0.2%
Veröffentlicht 31.03.2026 14:38:16
Zuletzt bearbeitet 02.04.2026 18:40:32
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server: GraphQL API endpoint ignores CORS origin restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 11 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 3.5.0 < 8.6.66

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.7.0

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c

Patch

Vendor Advisory

https://github.com/parse-community/parse-server/pull/10334

Patch

Issue Tracking

https://github.com/parse-community/parse-server/pull/10335

Patch

Issue Tracking

https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263

Patch

https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-34373

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34373

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34373

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34373