Cyber Posture

CVE-2026-31800

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0010 27.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and…

more

/classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to system resources, directly preventing unauthorized read, modification, and deletion of _GraphQLConfig and _Audience classes via unprotected REST API routes.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Identifies and authorizes only specific actions without identification or authentication, mitigating the bypass of master key requirements on generic /classes/ endpoints.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict access to sensitive internal classes to only necessary authorized users or processes requiring master key authentication.

Security SummaryAI

CVE-2026-31800 affects Parse Server, an open source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.5.2-alpha.12 and 8.6.25, the internal _GraphQLConfig and _Audience classes are exposed through generic REST API routes at /classes/_GraphQLConfig and /classes/_Audience. These routes allow read, modify, and delete operations without requiring master key authentication, circumventing the master key enforcement present on the dedicated /graphql-config and /push_audiences endpoints. The vulnerability, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Any unauthenticated attacker with network access to the Parse Server instance can exploit this issue. By sending requests to the exposed REST API endpoints, they can read sensitive GraphQL configuration details, alter configurations, delete push audience data, or manipulate audience definitions, potentially disrupting services or enabling further attacks such as unauthorized data exfiltration or service misconfiguration.

Parse Server advisories recommend upgrading to version 9.5.2-alpha.12 or 8.6.25, where the vulnerability is fixed by enforcing proper authorization on the generic class routes. Details are available in the GitHub security advisory GHSA-7xg7-rqf6-pw6c and release notes for tags 8.6.25 and 9.5.2-alpha.12.

Details

CWE(s)
CWE-862

Affected Products

parseplatform
parse-server
9.5.2 · ≤ 8.6.25 · 9.0.0 — 9.5.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability exposes sensitive REST API endpoints (/classes/_GraphQLConfig and /classes/_Audience) in Parse Server without authentication, allowing unauthenticated remote attackers to read, modify, and delete configurations, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References