{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30854", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.341Z", "datePublished": "2026-03-07T16:24:10.312Z", "dateUpdated": "2026-03-09T18:25:03.815Z"}, "containers": {"cna": {"title": "Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.3.1-alpha.3, < 9.5.0-alpha.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:24:10.312Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:\"User\") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10."}], "source": {"advisory": "GHSA-q5q9-2rhp-33qw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T16:44:20.389659Z", "id": "CVE-2026-30854", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:25:03.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30854", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T16:44:20.389659Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T16:44:24.657Z"}}], "cna": {"title": "Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled", "source": {"advisory": "GHSA-q5q9-2rhp-33qw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.3.1-alpha.3, < 9.5.0-alpha.10"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:\"User\") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:24:10.312Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30854", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:25:03.815Z", "dateReserved": "2026-03-05T21:27:35.341Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:24:10.312Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A7EEB7CA-DB11-4D0C-891E-B70B85FF44B3", "versionEndExcluding": "9.5.0", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "C73893F8-315F-4FE3-9ADB-DD2965797C46", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "3316761A-EDF2-4798-9282-B4D6DB774134", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3E9F95CF-EEE1-42FC-904E-321F05E3DE4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "5C02D6F0-5A3A-45F5-8A74-F75A8CCAE7DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "103C9745-031B-4822-A19C-A61375FBB1AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "8D67029D-C1BD-4D46-A84F-C52B4D364268", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "3B10930D-B416-4D9A-BA26-F0AD22BFAE28", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "72794836-5CFB-4928-BB22-D7DE813809B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "FA2C4C1E-3AE6-48E0-8B59-80554AE85BB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "40C8E499-E5C6-48DD-AE36-B73B2B6ADA67", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "E92B2675-5D49-404B-BEC1-7037D6C1ACD5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:\"User\") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Desde la versi\u00f3n 9.3.1-alpha.3 hasta antes de la versi\u00f3n 9.5.0-alpha.10, cuando graphQLPublicIntrospection est\u00e1 deshabilitado, las consultas __type anidadas dentro de fragmentos en l\u00ednea (por ejemplo, ... on Query { __type(name:'User') { name } }) eluden el control de introspecci\u00f3n, permitiendo a usuarios no autenticados realizar reconocimiento de tipos. La introspecci\u00f3n de __schema no se ve afectada. Este problema ha sido parcheado en la versi\u00f3n 9.5.0-alpha.10."}], "id": "CVE-2026-30854", "lastModified": "2026-03-10T16:52:21.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T17:15:52.910", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.3.1-alpha.3,9.5.0-alpha.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-17T12:07:04.352737+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 9.5.0\u2011alpha.10 or later to apply the official fix for the GraphQL introspection bypass.", "If an upgrade cannot be performed immediately, restrict access to the GraphQL endpoint so that only authenticated users or trusted clients can reach it, for example by placing a firewall or API gateway in front of the service.", "Confirm that the feature flag `graphQLPublicIntrospection` remains disabled; this flag alone does not protect against the bypass and should only be used in combination with the vendor patch."], "summary": {"action": "Immediate Patch", "impact": "Type Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the Parse Server open\u2011source backend. Versions from 9.3.1\u2011alpha.3 up to, but not including, 9.5.0\u2011alpha.10 are vulnerable. All instances hosted on any Node.js\u2011capable infrastructure that have the mentioned range of Parse Server releases should be inspected.", "description_and_impact": "The vulnerability arises from the GraphQL implementation in Parse Server, where inline fragments containing __type queries bypass the public introspection guard when graphQLPublicIntrospection is disabled. This allows unauthenticated users to determine the names of types, such as \"User\", which is a form of information disclosure. The flaw maps to the CWE-863 weakness of failing to enforce accurate authorization checks for type introspection under controlled circumstances.", "risk_and_exploitability": "The CVSS score is 6.9, indicating moderate severity, and the EPSS score is less than 1\u202f%, implying a low likelihood of exploitation at the time of assessment. The issue is not listed in CISA\u2019s KEV catalog. Exploitation requires a client with network access to the exposed GraphQL endpoint and the knowledge that public introspection has been disabled; an attacker can simply send crafted inline\u2011fragment queries to discover type names."}}}}, "created": "2026-03-09T10:04:57.953222+00:00", "updated": "2026-04-17T12:15:18.165923+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}