CVE-2026-31800 HIGH

CVE-2026-31800: Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Vendor Parse-Community
Product parse-server
Weakness CWE-862 · Missing authorization
Published March 10, 2026
Last update March 11, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.

Key dates

02Disclosure timeline

March 10, 2026 CVE published
March 11, 2026 Record updated