CVE-2026-32944
Published: 18 March 2026
Summary
CVE-2026-32944 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation through patching or upgrading Parse Server to versions that enforce query depth limits, directly addressing the uncontrolled recursion vulnerability.
Implements protections against denial-of-service attacks, including resource exhaustion from deeply nested query operators that crash the server process.
Restricts the quantity and complexity of query inputs, such as nesting depth of condition operators, to prevent server crashes from specially crafted requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated DoS via crafted HTTP request exploiting uncontrolled recursion (CWE-674) to crash the Parse Server process, directly mapping to T1499.004 (Application or System Exploitation) for Endpoint Denial of Service.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested…
more
query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.
Deeper analysisAI
CVE-2026-32944 is a denial-of-service vulnerability in Parse Server, an open source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.6.0-alpha.21 and 8.6.45, the server fails to properly handle deeply nested query condition operators, allowing a specially crafted request to exhaust resources and crash the entire Parse Server process. This issue is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption without requiring authentication or user interaction.
An unauthenticated remote attacker can exploit this vulnerability by sending a single malicious HTTP request containing deeply nested query conditions to any exposed Parse Server endpoint. Successful exploitation terminates the server process, immediately denying service to all connected clients and requiring manual restart, potentially leading to prolonged outages in production environments.
Mitigation requires upgrading to Parse Server version 9.6.0-alpha.21 or 8.6.45, where a depth limit for query condition operator nesting is enforced via the `requestComplexity.queryDepth` server option. This option is disabled by default to prevent breaking changes, so administrators must explicitly configure an appropriate value post-upgrade. No workarounds are available, and relevant advisories are detailed in the Parse Server GitHub security advisory (GHSA-9xp9-j92r-p88v) and related pull requests (10202, 10203).
Details
- CWE(s)