CVE-2026-30946
Published: 10 March 2026
Summary
CVE-2026-30946 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-30946 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. Versions prior to 9.5.2-alpha.2 and 8.6.15 lack complexity limits in their REST and GraphQL APIs, enabling crafted queries to exhaust server resources including CPU, memory, and database connections. All Parse Server deployments exposing the REST or GraphQL API are affected, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted queries to the REST or GraphQL endpoints, triggering excessive resource consumption that leads to service unavailability. No privileges, user interaction, or special access are required, making it accessible to any network adversary. Successful exploitation results in high-impact availability disruption without affecting confidentiality or integrity.
The Parse Server security advisory (GHSA-cmj3-wx7h-ffvg) and release notes for versions 8.6.15 and 9.5.2-alpha.2 detail the fix, which introduces query complexity limits to prevent resource exhaustion. Security practitioners should upgrade to these patched versions immediately and review deployments for exposed APIs, considering additional rate limiting or query validation as interim mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10862
Vulnerability details
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the…
more
lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of public-facing REST/GraphQL APIs for resource exhaustion DoS, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1499.004 (Application or System Exploitation) for the resulting endpoint DoS impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific flaw in Parse Server by applying patches to versions 9.5.2-alpha.2 or 8.6.15 introduces query complexity limits, directly eliminating the resource exhaustion vulnerability.
Denial-of-service protections such as rate limiting or request throttling prevent unauthenticated attackers from exhausting CPU, memory, and database connections via crafted REST or GraphQL queries.
Validating the complexity, size, and structure of incoming REST and GraphQL query inputs blocks malicious queries designed to trigger excessive resource consumption.