CVE-2026-34784

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-34784

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34784.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-34784

Aliases

Published

2026-03-31T19:39:54.736Z

Modified

2026-04-10T05:43:04.999846Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server: Streaming file download bypasses afterFind file trigger authorization

Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-285"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34784.json"
}

References

Affected packages

Git / github.com/parse-community/parse-server

Affected ranges

Type

GIT

Repo

https://github.com/parse-community/parse-server

Events

Introduced

Fixed

9acb5cf202e87a7d9ebe306651698e98d4c7665a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.6.71"
        }
    ]
}

Type

GIT

Repo

https://github.com/parse-community/parse-server

Events

Introduced

532a461d30a6ed4457839f2caf5f30d5abf51a55

Fixed

4d7f5942b697aa2f36a18912869ba2a7568b5a18

Database specific

{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.7.1-alpha.1"
        }
    ]
}

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.2

2.2.20

2.2.21

2.2.22

2.2.23

2.2.24

2.2.25

2.2.25-beta.1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.8.0

2.8.2

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.1.3

3.10.0

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.4.0

3.4.1

3.5.0

3.6.0

3.7.0

3.7.1

3.7.2

3.8.0

3.9.0

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.3.0

4.4.0

4.5.0

5.*

5.0.0

5.0.0-alpha.1

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.3.0

5.3.1

5.3.2

5.3.3

5.4.0

6.*

6.0.0

6.1.0

6.2.0

6.2.1

6.2.2

6.3.0

6.3.1

6.4.0

7.*

7.0.0

7.1.0

7.2.0

7.3.0

7.4.0

8.*

8.0.0

8.0.1

8.0.2

8.1.0

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.3.0

8.4.0

8.5.0

8.6.0

8.6.1

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.6.19

8.6.2

8.6.20

8.6.21

8.6.22

8.6.23

8.6.24

8.6.25

8.6.26

8.6.27

8.6.28

8.6.29

8.6.3

8.6.30

8.6.31

8.6.32

8.6.33

8.6.34

8.6.35

8.6.36

8.6.37

8.6.38

8.6.39

8.6.4

8.6.40

8.6.41

8.6.42

8.6.43

8.6.44

8.6.45

8.6.46

8.6.47

8.6.48

8.6.49

8.6.5

8.6.50

8.6.51

8.6.52

8.6.53

8.6.54

8.6.55

8.6.56

8.6.57

8.6.58

8.6.59

8.6.6

8.6.60

8.6.61

8.6.62

8.6.63

8.6.64

8.6.65

8.6.66

8.6.67

8.6.68

8.6.69

8.6.7

8.6.70

8.6.8

8.6.9

9.*

9.0.0

9.1.0

9.1.1

9.2.0

9.3.0

9.3.1

9.4.0

9.4.1

9.5.0

9.5.1

9.6.0

9.6.1

9.7.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34784.json"