Description
The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.5.0, < 8.6.66 >= 9.0.0, < 9.7.0-alpha.10** Patched version(s): **8.6.66 9.7.0-alpha.10**
References
Related Issues
- Parse Server's GraphQL WebSocket endpoint bypasses security middleware - CVE-2026-32594
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction - CVE-2026-30228
- parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user - CVE-2026-30229
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 31, 2026