Parse Server's GraphQL WebSocket endpoint bypasses security middleware
- Severity:
- Medium
Description
Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.0.0 >= 9.0.0, < 9.6.0-alpha.14** Patched version(s): **8.6.40 9.6.0-alpha.14**
References
Related Issues
- Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization - CVE-2026-30850
- Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint - CVE-2026-32269
- Parse Server's Session Update endpoint allows overwriting server-generated session fields - CVE-2026-33527
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 16, 2026