216.73.216.133

CVE-2026-34532

· Published 31/03/2026 15:16 · Modified 01/04/2026 14:24

Labels: CVE-2026-34532 2026-03-31CVE-2026-34532CWE-863[email protected]

Essential information

Published
31/03/2026 15:16
Modified
01/04/2026 14:24
Author
Creator
CVSS
9.1 CRITICAL (v3) 9.1 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
parse server / parse server cpe:2.3:a:parse_server:parse_server:<8.6.67:*:*:*:*:*:*:*
parse server / parse server cpe:2.3:a:parse_server:parse_server:<9.7.0-alpha.11:*:*:*:*:*:*:*

References