Cyber Resilience

CVE-2026-34532

Critical

Published: 31 March 2026

Published
31 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34532 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34532 is a critical authorization bypass vulnerability in Parse Server, an open-source backend platform deployable on any Node.js-compatible infrastructure. Affecting versions prior to 8.6.67 and 9.7.0-alpha.11, the flaw arises when Cloud Function handlers are declared using the function keyword and their validators are plain objects or arrow functions. In these cases, the trigger store resolves the handler through its prototype chain, while the validator store does not mirror this traversal, effectively skipping all access control enforcement.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity by appending "prototype.constructor" to the target Cloud Function name in the URL. This allows invocation of functions intended to be protected by validators such as requireUser, requireMaster, or custom logic, potentially granting unauthorized access to sensitive operations. The CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects high confidentiality and integrity impacts without requiring privileges or user interaction.

The issue, classified under CWE-863 (Incorrect Authorization), has been addressed in Parse Server versions 8.6.67 and 9.7.0-alpha.11. Mitigation involves upgrading to these patched releases, as detailed in the project's security advisory (GHSA-vpj2-qq7w-5qq6) and related GitHub pull requests (#10342, #10343) and commits (4fc48cf28f22eea200d74d883505f485234a48d7, dc59e272665644083c5b7f6862d88ce1ef0b2674).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name…

more

in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a network-accessible authorization bypass in the public-facing Parse Server backend, directly enabling T1190 by allowing unauthenticated invocation of protected Cloud Functions via crafted URLs.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-30965Same product: Parseplatform Parse-Server
CVE-2026-29182Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-30229Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-30863Same product: Parseplatform Parse-Server
CVE-2026-32594Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.7.0 · ≤ 8.6.67 · 9.0.0 — 9.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, assessment, and patching of the specific authorization bypass flaw in Parse Server, directly eliminating the vulnerability.

prevent

Mandates enforcement of approved authorizations for Cloud Functions, countering the bypass caused by mismatched prototype chain traversal in handler and validator stores.

prevent

Validates URL inputs including Cloud Function names to reject malicious appendages like 'prototype.constructor', blocking the exploit vector.

References