CVE-2026-30946
Published: 10 March 2026
Summary
CVE-2026-30946 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of public-facing REST/GraphQL APIs for resource exhaustion DoS, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1499.004 (Application or System Exploitation) for the resulting endpoint DoS impact.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the…
more
lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
Deeper analysisAI
CVE-2026-30946 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. Versions prior to 9.5.2-alpha.2 and 8.6.15 lack complexity limits in their REST and GraphQL APIs, enabling crafted queries to exhaust server resources including CPU, memory, and database connections. All Parse Server deployments exposing the REST or GraphQL API are affected, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted queries to the REST or GraphQL endpoints, triggering excessive resource consumption that leads to service unavailability. No privileges, user interaction, or special access are required, making it accessible to any network adversary. Successful exploitation results in high-impact availability disruption without affecting confidentiality or integrity.
The Parse Server security advisory (GHSA-cmj3-wx7h-ffvg) and release notes for versions 8.6.15 and 9.5.2-alpha.2 detail the fix, which introduces query complexity limits to prevent resource exhaustion. Security practitioners should upgrade to these patched versions immediately and review deployments for exposed APIs, considering additional rate limiting or query validation as interim mitigations.
Details
- CWE(s)