Cyber Resilience

CVE-2026-32594

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 24.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32594 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-32594 affects Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions bypasses the Express middleware chain responsible for enforcing authentication, introspection controls, and query complexity limits. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), allows unauthorized access to GraphQL operations via WebSocket connections.

Any remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). By connecting directly to the WebSocket endpoint, they can execute arbitrary GraphQL operations without a valid application or API key, perform schema introspection even when public introspection is disabled, and submit overly complex queries that evade configured limits, potentially leading to low-level impacts on confidentiality, integrity, and availability.

The Parse Server security advisory (GHSA-p2x3-8689-cwpg) and related pull requests (#10189 and #10190) confirm the issue is resolved in versions 8.6.40 and 9.6.0-alpha.14, which route WebSocket requests through the proper middleware. Security practitioners should upgrade affected Parse Server instances immediately and verify GraphQL endpoint configurations to ensure middleware enforcement.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces…

more

authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a missing authentication flaw (CWE-306) in the publicly exposed GraphQL WebSocket endpoint of Parse Server, directly enabling remote exploitation of a public-facing application without credentials to perform unauthorized operations.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-31800Same product: Parseplatform Parse-Server
CVE-2026-34532Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server
CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-32878Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-30965Same product: Parseplatform Parse-Server
CVE-2026-30863Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.6.0 · ≤ 8.6.40 · 9.0.0 — 9.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization on every request path, closing the WebSocket bypass that allowed unauthenticated GraphQL operations.

prevent

Requires identification and authentication of non-organizational users before granting access to the GraphQL service, preventing the missing-API-key exploitation described in the CVE.

prevent

Limits the privileges available once a connection is established, reducing the impact of any GraphQL operations that still bypass intended controls.

References