GHSA-7xg7-rqf6-pw6c

Source

https://github.com/advisories/GHSA-7xg7-rqf6-pw6c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7xg7-rqf6-pw6c/GHSA-7xg7-rqf6-pw6c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7xg7-rqf6-pw6c

Aliases

Published

2026-03-11T00:23:01Z

Modified

2026-03-14T03:41:17.892207Z

Severity

8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Details

Impact

The _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data.

Patches

The fix adds the affected internal classes to the classesWithMasterOnlyAccess list, ensuring that the generic /classes/ routes enforce master key access consistently with the dedicated endpoints.

Workarounds

There is no known workaround.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c
Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12
Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.25

Database specific

{
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:23:01Z",
    "nvd_published_at": "2026-03-10T21:16:49Z"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0-alpha.1

Fixed

9.5.2-alpha.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7xg7-rqf6-pw6c/GHSA-7xg7-rqf6-pw6c.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.25

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7xg7-rqf6-pw6c/GHSA-7xg7-rqf6-pw6c.json"