CVE-2026-31800
Published: 10 March 2026
Summary
CVE-2026-31800 is a critical-severity Missing Authorization (CWE-862) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly preventing unauthorized read, modification, and deletion of _GraphQLConfig and _Audience classes via unprotected REST API routes.
Identifies and authorizes only specific actions without identification or authentication, mitigating the bypass of master key requirements on generic /classes/ endpoints.
Employs least privilege to restrict access to sensitive internal classes to only necessary authorized users or processes requiring master key authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes sensitive REST API endpoints (/classes/_GraphQLConfig and /classes/_Audience) in Parse Server without authentication, allowing unauthenticated remote attackers to read, modify, and delete configurations, directly enabling exploitation of a public-facing application.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and…
more
/classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.
Deeper analysisAI
CVE-2026-31800 affects Parse Server, an open source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.5.2-alpha.12 and 8.6.25, the internal _GraphQLConfig and _Audience classes are exposed through generic REST API routes at /classes/_GraphQLConfig and /classes/_Audience. These routes allow read, modify, and delete operations without requiring master key authentication, circumventing the master key enforcement present on the dedicated /graphql-config and /push_audiences endpoints. The vulnerability, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Any unauthenticated attacker with network access to the Parse Server instance can exploit this issue. By sending requests to the exposed REST API endpoints, they can read sensitive GraphQL configuration details, alter configurations, delete push audience data, or manipulate audience definitions, potentially disrupting services or enabling further attacks such as unauthorized data exfiltration or service misconfiguration.
Parse Server advisories recommend upgrading to version 9.5.2-alpha.12 or 8.6.25, where the vulnerability is fixed by enforcing proper authorization on the generic class routes. Details are available in the GitHub security advisory GHSA-7xg7-rqf6-pw6c and release notes for tags 8.6.25 and 9.5.2-alpha.12.
Details
- CWE(s)