CVE-2026-34784
Published: 31 March 2026
Summary
CVE-2026-34784 is a high-severity Improper Authorization (CWE-285) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw by applying patches in Parse Server versions 8.6.71 and 9.7.1-alpha.1 that fix the HTTP Range request bypass of file authorization triggers.
Enforces approved authorizations for all file access requests, preventing unauthorized downloads that bypass afterFind triggers and validators on streaming adapters.
Monitors system security functions to detect unauthorized disclosure of protected files via anomalous HTTP Range requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Parse Server enables remote unauthenticated bypass of authorization triggers for file access via HTTP Range requests.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters…
more
that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
Deeper analysisAI
CVE-2026-34784 is a vulnerability in Parse Server, an open source backend deployable on any Node.js-compatible infrastructure. In versions prior to 8.6.71 and 9.7.1-alpha.1, file downloads initiated via HTTP Range requests bypass the afterFind(Parse.File) trigger and associated validators on storage adapters that support streaming, such as the default GridFS adapter. This flaw, classified under CWE-285 (Improper Authorization), enables unauthorized access to files protected by trigger-based authorization logic or built-in validators like requireUser, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges required and low attack complexity. By crafting HTTP Range requests to download files, attackers can retrieve sensitive data that should be restricted, achieving high-impact confidentiality violations without affecting integrity or availability. No user interaction is needed, making it suitable for automated exploitation against exposed Parse Server instances.
Patches addressing this issue are available in Parse Server versions 8.6.71 and 9.7.1-alpha.1, as detailed in the project's GitHub security advisory (GHSA-hpm8-9qx6-jvwv) and related pull requests (#10361, #10362) with commits 053109b3ee71815bc39ed84116c108ff9edbf337 and a0b0c69fc44f87f80d793d257344e7dcbf676e22. Security practitioners should upgrade to these fixed versions and review configurations for streaming storage adapters to ensure proper enforcement of authorization triggers.
Details
- CWE(s)