CVE-2026-34573

April 1, 2026, 2:24 p.m.

8.2
High

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.

Product(s) Impacted

Vendor Product Versions
Parse Server
  • Parse Server
  • <8.6.68, <9.7.0-alpha.12

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-407
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a parse_server parse_server <8.6.68 / / / / / / /
a parse_server parse_server <9.7.0-alpha.12 / / / / / / /

References

https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
https://github.com/parse-community/parse-server/pull/10344
https://github.com/parse-community/parse-server/pull/10345
https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c

Tags

[email protected]
CWE-407
2026-03-31
CVE-2026-34573

CVSS Score

8.2 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: March 31, 2026, 4:16 p.m.
Last Modified: April 1, 2026, 2:24 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.