CVE-2026-34532
Published: 31 March 2026
Summary
CVE-2026-34532 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, assessment, and patching of the specific authorization bypass flaw in Parse Server, directly eliminating the vulnerability.
Mandates enforcement of approved authorizations for Cloud Functions, countering the bypass caused by mismatched prototype chain traversal in handler and validator stores.
Validates URL inputs including Cloud Function names to reject malicious appendages like 'prototype.constructor', blocking the exploit vector.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a network-accessible authorization bypass in the public-facing Parse Server backend, directly enabling T1190 by allowing unauthenticated invocation of protected Cloud Functions via crafted URLs.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name…
more
in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.
Deeper analysisAI
CVE-2026-34532 is a critical authorization bypass vulnerability in Parse Server, an open-source backend platform deployable on any Node.js-compatible infrastructure. Affecting versions prior to 8.6.67 and 9.7.0-alpha.11, the flaw arises when Cloud Function handlers are declared using the function keyword and their validators are plain objects or arrow functions. In these cases, the trigger store resolves the handler through its prototype chain, while the validator store does not mirror this traversal, effectively skipping all access control enforcement.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity by appending "prototype.constructor" to the target Cloud Function name in the URL. This allows invocation of functions intended to be protected by validators such as requireUser, requireMaster, or custom logic, potentially granting unauthorized access to sensitive operations. The CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects high confidentiality and integrity impacts without requiring privileges or user interaction.
The issue, classified under CWE-863 (Incorrect Authorization), has been addressed in Parse Server versions 8.6.67 and 9.7.0-alpha.11. Mitigation involves upgrading to these patched releases, as detailed in the project's security advisory (GHSA-vpj2-qq7w-5qq6) and related GitHub pull requests (#10342, #10343) and commits (4fc48cf28f22eea200d74d883505f485234a48d7, dc59e272665644083c5b7f6862d88ce1ef0b2674).
Details
- CWE(s)