CVE-2026-34373
Published: 31 March 2026
Summary
CVE-2026-34373 is a high-severity Origin Validation Error (CWE-346) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in Parse Server by upgrading to versions 8.6.66 or 9.7.0-alpha.10 restores enforcement of allowOrigin restrictions on the GraphQL endpoint.
Enforcing access control policies at the application level prevents unauthorized cross-origin access to the GraphQL API by respecting origin-based authorizations.
Boundary protection at external interfaces, such as via proxies or WAFs, can enforce origin validation and monitor anomalous cross-origin requests to mitigate GraphQL bypasses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Parse Server GraphQL API directly enables exploitation (T1190). Requires tricking users to visit malicious site for cross-origin requests (T1204.001).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests…
more
from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
Deeper analysisAI
CVE-2026-34373 is a vulnerability in Parse Server, an open-source backend platform deployable on any Node.js-compatible infrastructure. In versions prior to 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint ignores the configured allowOrigin server option, allowing cross-origin requests from any website. This bypasses restrictions operators set to limit which websites can interact with the Parse Server API, while the REST API correctly enforces these origin controls. The flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-346 (Origin Validation Error).
Any remote attacker can exploit this vulnerability by tricking users into visiting a malicious website that issues unauthorized cross-origin GraphQL requests to the affected Parse Server instance. Exploitation requires user interaction, such as loading the site or clicking an element, but demands no privileges or authentication. Successful attacks enable high-impact effects, including unauthorized access to sensitive data (confidentiality), modification of server resources (integrity), and potential service disruption (availability), all scoped to the unchanged security context.
Parse Server maintainers have patched the issue in versions 8.6.66 and 9.7.0-alpha.10. Security advisories recommend immediate upgrades to these releases to restore proper enforcement of allowOrigin restrictions on the GraphQL endpoint. Details on the fixes are documented in the GitHub security advisory (GHSA-q3p6-g7c4-829c) and related pull requests (#10334, #10335) with commits (0347641507891d0013ec57f7c10f012064f41263, 4dd0d3d8be1c39664c74ad10bb0abaa76bc41203).
Details
- CWE(s)