Primary

Context

Parse Server GraphQL Configuration and Audience Class Master Key Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Parse Server prior to versions 9.5.2-alpha.12 and 8.6.25 allows unauthorized access to the internal classes '_GraphQLConfig' and '_Audience' via generic REST API routes. This access can be exploited to read, modify, and delete GraphQL configuration and push audience data, bypassing the master key authentication required on dedicated endpoints. The vulnerability affects versions 9.0.0 prior to 9.5.2-alpha.12 and versions prior to 8.6.25.

Impact

Exploitation of this vulnerability allows for unauthorized reading, modification, and deletion of GraphQL configuration and audience data.

Remediation

Users can upgrade to Parse Server versions 9.5.2-alpha.12 or 8.6.25 to address this vulnerability.

Added: Mar 10, 2026, 9:21 PM

Updated: Mar 10, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

8.3

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

8.3

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server GraphQL Configuration and Audience Class Master Key Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating