Cyber Resilience

CVE-2026-34573

HighDDoS

Published: 31 March 2026

Published
31 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34573 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34573 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js infrastructure. The issue affects versions prior to 8.6.68 and 9.7.0-alpha.12, specifically in the GraphQL query complexity validator. Attackers can exploit it by sending a crafted GraphQL query using binary fan-out fragment spreads, which overwhelms the validator and blocks the Node.js event loop for seconds. This vulnerability, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-407 (likely resource exhaustion), only impacts deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options.

An unauthenticated remote attacker can exploit this vulnerability with a single request, causing widespread denial of service. The crafted query ties up the event loop, preventing the server from processing requests for other users during the blockage, effectively halting service for all concurrent clients.

Parse Server has addressed this issue in versions 8.6.68 and 9.7.0-alpha.12, as detailed in the project's security advisory (GHSA-mfj6-6p54-m98c) and related GitHub pull requests (#10344, #10345) and commits (ea15412795f34594cc8a674fe858d445675e0295, f759bda075298ec44e2b4fb57659a0c56620483b). Security practitioners should upgrade to these patched versions and review configurations to ensure the affected GraphQL complexity options are appropriately managed.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted…

more

query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remote DoS vulnerability in Parse Server's GraphQL complexity validator exploitable via a single crafted query causing event loop blockage and resource exhaustion, directly mapping to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32944Same product: Parseplatform Parse-Server
CVE-2026-32770Same product: Parseplatform Parse-Server
CVE-2026-33498Same product: Parseplatform Parse-Server
CVE-2026-32886Same product: Parseplatform Parse-Server
CVE-2026-33538Same product: Parseplatform Parse-Server
CVE-2026-30925Same product: Parseplatform Parse-Server
CVE-2026-30946Same product: Parseplatform Parse-Server
CVE-2026-33508Same product: Parseplatform Parse-Server
CVE-2026-30939Same product: Parseplatform Parse-Server
CVE-2026-30972Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.7.0 · ≤ 8.6.68 · 9.0.0 — 9.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching to Parse Server versions 8.6.68 or 9.7.0-alpha.12 directly fixes the vulnerable GraphQL query complexity validator.

prevent

Denial-of-service protections such as rate limiting, request throttling, or resource quotas at network boundaries prevent a single crafted GraphQL query from blocking the Node.js event loop.

prevent

Information input validation for GraphQL queries ensures crafted fragment spreads are rejected before reaching the flawed complexity validator.

References