{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31800", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.913Z", "datePublished": "2026-03-10T20:51:14.338Z", "dateUpdated": "2026-03-11T16:00:38.736Z"}, "containers": {"cna": {"title": "Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.25", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0 < 9.5.2-alpha.12", "status": "affected"}, {"version": "< 8.6.25", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:51:14.338Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25."}], "source": {"advisory": "GHSA-7xg7-rqf6-pw6c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T15:53:42.498516Z", "id": "CVE-2026-31800", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T16:00:38.736Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes", "source": {"advisory": "GHSA-7xg7-rqf6-pw6c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.0.0 < 9.5.2-alpha.12"}, {"status": "affected", "version": "< 8.6.25"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25", "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.25", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12", "name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:51:14.338Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31800", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:53:42.498516Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T15:53:43.499Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-31800", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:51:14.338Z", "dateReserved": "2026-03-09T16:33:42.913Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:51:14.338Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6639CFFD-DB7D-41C2-92AA-7B13FA257916", "versionEndExcluding": "8.6.25", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E66572ED-597B-4D8E-A636-733D463A4E4D", "versionEndExcluding": "9.5.2", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "79CCA374-1498-4651-9FF9-F0B73D76CEB9", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "2EEA21BC-9699-4625-9319-5C687219C716", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "6521B8A9-6116-4CAE-9B5E-F22C204B1F0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "601B2CF1-D29A-42CC-8405-185C1A8E1EB2", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "BC9F2B9D-026F-454B-B565-05AA441FA54F", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "FDDB20F1-F6A7-4B1E-B075-CC250613D826", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "CA14D0B7-B952-4C4E-B271-3EBB51C03E9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "19B7C5A9-B59A-4A47-B4F0-13C7C796B496", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "0E619B8B-BC91-4F71-B84D-52E563AB8E03", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "6C9DB980-4201-43D3-B019-2A6B325B896E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.12 y 8.6.25, las clases internas _GraphQLConfig y _Audience pod\u00edan ser le\u00eddas, modificadas y eliminadas a trav\u00e9s de las rutas gen\u00e9ricas de la API REST /classes/_GraphQLConfig y /classes/_Audience sin autenticaci\u00f3n de clave maestra. Esto elude la aplicaci\u00f3n de la clave maestra que existe en los endpoints dedicados /graphql-config y /push_audiences. Un atacante puede leer, modificar y eliminar la configuraci\u00f3n de GraphQL y los datos de audiencia de push. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.12 y 8.6.25."}], "id": "CVE-2026-31800", "lastModified": "2026-03-11T18:30:54.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:49.683", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.5.2-alpha.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.25)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-16T09:26:40.660411+00:00", "value": {"mitigation_remediation": ["Update to Parse Server 8.6.25 or later, and to 9.5.2-alpha.12 or later.", "Restrict network access to the /classes/_GraphQLConfig and /classes/_Audience endpoints using firewall rules or network segmentation to limit exposure to trusted hosts.", "Enable monitoring of access logs for these endpoints and alert on unauthorized attempts to detect exploitation."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification and deletion of GraphQL configuration and push audience data due to master key bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Parse Server versions prior to 8.6.25 and 9.5.2-alpha.12, including all 9.5.2-alpha releases up to alpha.11 and any 8.6.x release below 8.6.25. Users running Parse Server on Node.js should verify that they are not using these affected releases.", "description_and_impact": "Parse Server allows unauthenticated access to the internal _GraphQLConfig and _Audience classes through the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes. This bypasses the master key enforcement that is present on dedicated endpoints, enabling an attacker to read, modify, or delete GraphQL configuration and push audience data without any credential. The flaw represents an authorization bypass vulnerability (CWE-862) that can compromise the integrity and confidentiality of application configuration and push notification audiences.", "risk_and_exploitability": "With a CVSS score of 8.8 the flaw is considered high severity. The EPSS score is below 1%, indicating low exploitation probability at the time of this analysis, and it is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability by issuing HTTP requests to the exposed generic class routes, which do not require authentication or the master key. The attack path is straightforward for anyone with network access to the Parse Server instance."}}}}, "created": "2026-03-11T11:42:11.772266+00:00", "updated": "2026-04-16T09:30:06.051717+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}