CVE-2026-32594
Published: 16 March 2026
Summary
CVE-2026-32594 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2026-32594 affects Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions bypasses the Express middleware chain responsible for enforcing authentication, introspection controls, and query complexity limits. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), allows unauthorized access to GraphQL operations via WebSocket connections.
Any remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). By connecting directly to the WebSocket endpoint, they can execute arbitrary GraphQL operations without a valid application or API key, perform schema introspection even when public introspection is disabled, and submit overly complex queries that evade configured limits, potentially leading to low-level impacts on confidentiality, integrity, and availability.
The Parse Server security advisory (GHSA-p2x3-8689-cwpg) and related pull requests (#10189 and #10190) confirm the issue is resolved in versions 8.6.40 and 9.6.0-alpha.14, which route WebSocket requests through the proper middleware. Security practitioners should upgrade affected Parse Server instances immediately and verify GraphQL endpoint configurations to ensure middleware enforcement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12097
Vulnerability details
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces…
more
authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authentication flaw (CWE-306) in the publicly exposed GraphQL WebSocket endpoint of Parse Server, directly enabling remote exploitation of a public-facing application without credentials to perform unauthorized operations.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization on every request path, closing the WebSocket bypass that allowed unauthenticated GraphQL operations.
Requires identification and authentication of non-organizational users before granting access to the GraphQL service, preventing the missing-API-key exploitation described in the CVE.
Limits the privileges available once a connection is established, reducing the impact of any GraphQL operations that still bypass intended controls.