Cyber Resilience

CVE-2026-30946

HighDDoS

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30946 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30946 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. Versions prior to 9.5.2-alpha.2 and 8.6.15 lack complexity limits in their REST and GraphQL APIs, enabling crafted queries to exhaust server resources including CPU, memory, and database connections. All Parse Server deployments exposing the REST or GraphQL API are affected, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted queries to the REST or GraphQL endpoints, triggering excessive resource consumption that leads to service unavailability. No privileges, user interaction, or special access are required, making it accessible to any network adversary. Successful exploitation results in high-impact availability disruption without affecting confidentiality or integrity.

The Parse Server security advisory (GHSA-cmj3-wx7h-ffvg) and release notes for versions 8.6.15 and 9.5.2-alpha.2 detail the fix, which introduces query complexity limits to prevent resource exhaustion. Security practitioners should upgrade to these patched versions immediately and review deployments for exposed APIs, considering additional rate limiting or query validation as interim mitigations.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the…

more

lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables unauthenticated remote exploitation of public-facing REST/GraphQL APIs for resource exhaustion DoS, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1499.004 (Application or System Exploitation) for the resulting endpoint DoS impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30939Same product: Parseplatform Parse-Server
CVE-2026-33508Same product: Parseplatform Parse-Server
CVE-2026-30972Same product: Parseplatform Parse-Server
CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-32770Same product: Parseplatform Parse-Server
CVE-2026-33498Same product: Parseplatform Parse-Server
CVE-2026-34573Same product: Parseplatform Parse-Server
CVE-2026-33538Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-34532Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.5.2 · ≤ 8.6.15 · 9.0.0 — 9.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in Parse Server by applying patches to versions 9.5.2-alpha.2 or 8.6.15 introduces query complexity limits, directly eliminating the resource exhaustion vulnerability.

prevent

Denial-of-service protections such as rate limiting or request throttling prevent unauthenticated attackers from exhausting CPU, memory, and database connections via crafted REST or GraphQL queries.

prevent

Validating the complexity, size, and structure of incoming REST and GraphQL query inputs blocks malicious queries designed to trigger excessive resource consumption.

References