CVE-2026-32594
Published: 16 March 2026
Summary
CVE-2026-32594 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.
Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authentication flaw (CWE-306) in the publicly exposed GraphQL WebSocket endpoint of Parse Server, directly enabling remote exploitation of a public-facing application without credentials to perform unauthorized operations.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces…
more
authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14.
Deeper analysisAI
CVE-2026-32594 affects Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions bypasses the Express middleware chain responsible for enforcing authentication, introspection controls, and query complexity limits. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), allows unauthorized access to GraphQL operations via WebSocket connections.
Any remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). By connecting directly to the WebSocket endpoint, they can execute arbitrary GraphQL operations without a valid application or API key, perform schema introspection even when public introspection is disabled, and submit overly complex queries that evade configured limits, potentially leading to low-level impacts on confidentiality, integrity, and availability.
The Parse Server security advisory (GHSA-p2x3-8689-cwpg) and related pull requests (#10189 and #10190) confirm the issue is resolved in versions 8.6.40 and 9.6.0-alpha.14, which route WebSocket requests through the proper middleware. Security practitioners should upgrade affected Parse Server instances immediately and verify GraphQL endpoint configurations to ensure middleware enforcement.
Details
- CWE(s)