Cyber Resilience

CVE-2026-31800

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31800 is a high-severity Missing Authorization (CWE-862) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-31800 affects Parse Server, an open source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.5.2-alpha.12 and 8.6.25, the internal _GraphQLConfig and _Audience classes are exposed through generic REST API routes at /classes/_GraphQLConfig and /classes/_Audience. These routes allow read, modify, and delete operations without requiring master key authentication, circumventing the master key enforcement present on the dedicated /graphql-config and /push_audiences endpoints. The vulnerability, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Any unauthenticated attacker with network access to the Parse Server instance can exploit this issue. By sending requests to the exposed REST API endpoints, they can read sensitive GraphQL configuration details, alter configurations, delete push audience data, or manipulate audience definitions, potentially disrupting services or enabling further attacks such as unauthorized data exfiltration or service misconfiguration.

Parse Server advisories recommend upgrading to version 9.5.2-alpha.12 or 8.6.25, where the vulnerability is fixed by enforcing proper authorization on the generic class routes. Details are available in the GitHub security advisory GHSA-7xg7-rqf6-pw6c and release notes for tags 8.6.25 and 9.5.2-alpha.12.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and…

more

/classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability exposes sensitive REST API endpoints (/classes/_GraphQLConfig and /classes/_Audience) in Parse Server without authentication, allowing unauthenticated remote attackers to read, modify, and delete configurations, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34532Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-32594Same product: Parseplatform Parse-Server
CVE-2026-32878Same product: Parseplatform Parse-Server
CVE-2026-30965Same product: Parseplatform Parse-Server
CVE-2026-32248Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.5.2 · ≤ 8.6.25 · 9.0.0 — 9.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to system resources, directly preventing unauthorized read, modification, and deletion of _GraphQLConfig and _Audience classes via unprotected REST API routes.

prevent

Identifies and authorizes only specific actions without identification or authentication, mitigating the bypass of master key requirements on generic /classes/ endpoints.

prevent

Employs least privilege to restrict access to sensitive internal classes to only necessary authorized users or processes requiring master key authentication.

References