Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Description

The _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.25

  >= 9.0.0-alpha.1, < 9.5.2-alpha.12**

• Patched version(s): **8.6.25

  9.5.2-alpha.12**

References

• GHSA-7xg7-rqf6-pw6c
• CVE-2026-31800
• CWE-862
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
• Parse Server has a bypass of class-level permissions in LiveQuery - CVE-2026-30947
• Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
• Parse Server has role escalation and CLP bypass via direct `_Join` table write - CVE-2026-30966

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Exploiting Server Version Disclosure

Update Cheat Sheet for Developers

Tags:

npm

parse-server