{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34784", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.556Z", "datePublished": "2026-03-31T19:39:54.736Z", "dateUpdated": "2026-03-31T20:29:38.765Z"}, "containers": {"cna": {"title": "Parse Server: Streaming file download bypasses afterFind file trigger authorization", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv"}, {"name": "https://github.com/parse-community/parse-server/pull/10361", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10361"}, {"name": "https://github.com/parse-community/parse-server/pull/10362", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10362"}, {"name": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337"}, {"name": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.71", "status": "affected"}, {"version": ">= 9.0.0, < 9.7.1-alpha.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T19:39:54.736Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1."}], "source": {"advisory": "GHSA-hpm8-9qx6-jvwv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T20:29:31.019523Z", "id": "CVE-2026-34784", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:29:38.765Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34784", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T20:29:31.019523Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:29:34.734Z"}}], "cna": {"title": "Parse Server: Streaming file download bypasses afterFind file trigger authorization", "source": {"advisory": "GHSA-hpm8-9qx6-jvwv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.71"}, {"status": "affected", "version": ">= 9.0.0, < 9.7.1-alpha.1"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/pull/10361", "name": "https://github.com/parse-community/parse-server/pull/10361", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/pull/10362", "name": "https://github.com/parse-community/parse-server/pull/10362", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337", "name": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22", "name": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T19:39:54.736Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34784", "state": "PUBLISHED", "dateUpdated": "2026-03-31T20:29:38.765Z", "dateReserved": "2026-03-30T19:54:55.556Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T19:39:54.736Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "66C11625-A695-4E83-8283-BF83421A5F31", "versionEndExcluding": "8.6.71", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EF03C109-6DCF-4359-A9EC-44C14A80B9FA", "versionEndExcluding": "9.7.1", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1."}], "id": "CVE-2026-34784", "lastModified": "2026-04-01T17:06:54.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T20:16:29.490", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10361"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10362"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.71)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.7.1-alpha.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-02T04:54:15.835456+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.71 or newer, or 9.7.1-alpha.1 or newer, which contains the patch that enforces afterFind validation on streaming downloads.", "Verify that afterFind triggers and requiredUser validators are correctly configured for any protected file types.", "If immediate upgrade is not possible, temporarily disable HTTP Range support or restrict streaming adapters until a patched version is deployed.", "Monitor access logs for unexpected file download patterns and audit for unauthorized access after deployment of the fix."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized File Access"}, "threat_synthesis": {"affected_systems": "The issue affects parse-community\u2019s Parse Server for all releases before 8.6.71 and before 9.7.1-alpha.1. It applies to installations that use storage adapters that support streaming, such as the default GridFS adapter, on any infrastructure capable of running Node.js.", "description_and_impact": "Parse Server, an open\u2011source Node.js backend, had a flaw that allowed HTTP Range requests to skip the afterFind(Parse.File) trigger. The trigger normally enforces authorization checks such as requireUser, and without it an attacker is able to obtain files that should be protected. The vulnerability is a classic example of improper authorization validation (CWE\u2011285).", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high severity, and the EPSS score of less than 1% suggests the likelihood of exploitation is currently low, though the vulnerability is not listed in the KEV catalog. Attackers can trigger the vulnerability remotely by sending a Range-header based download request to a file that is normally gated by an afterFind trigger. If successful, the attacker gains read access to protected files, compromising confidentiality and potentially enabling further exploitation."}}}}, "created": "2026-04-02T07:53:03.944321+00:00", "updated": "2026-04-02T20:11:00.039973+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}