Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
- Severity:
- Medium
Description
When graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 9.3.1-alpha.3, < 9.5.0-alpha.10
- Patched version(s): 9.5.0-alpha.10
References
Related Issues
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- Parse Server has role escalation and CLP bypass via direct `_Join` table write - CVE-2026-30966
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 09, 2026