Parser Server's streaming file download bypasses afterFind file trigger authorization
- Severity:
- High
Description
File downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.71 >= 9.0.0, < 9.7.1-alpha.1** Patched version(s): **8.6.71 9.7.1-alpha.1**
References
Related Issues
- Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization - CVE-2026-30850
- parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction - CVE-2026-30228
- Parse Server leaks protected fields via LiveQuery afterEvent trigger - CVE-2026-33163
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on April 01, 2026


