CVE-2026-32944
published 2026-03-18CVE-2026-32944: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.48%
38.0th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.55 | 8.6.55 |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 0 < 8.6.45 | 8.6.45 |
| parse-community | parse-server | >= 9.0.0 < 9.6.0-alpha.21 | 9.6.0-alpha.21 |
| parseplatform | parse-server | < 8.6.45 | 8.6.45 |
| parseplatform | parse-server | < 8.6.55 | 8.6.55 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | >= 0 < 8.6.55 | 8.6.55 |
| parseplatform | parse-server | >= 9.0.0 < 9.6.0 | 9.6.0 |
| parseplatform | parse-server | >= 9.0.0 < 9.6.0-alpha.44 | 9.6.0-alpha.44 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.7HIGH
osv8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Parse Server has a query condition depth bypass via pre-validation transform pipeline
osv·2026-03-20·CVSS 8.7
CVE-2026-33498 [HIGH] Parse Server has a query condition depth bypass via pre-validation transform pipeline
Parse Server has a query condition depth bypass via pre-validation transform pipeline
### Impact
An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.
### Patches
The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.
### Workarounds
None.
GHSA
Parse Server has a query condition depth bypass via pre-validation transform pipeline
ghsa·2026-03-20·CVSS 8.7
CVE-2026-33498 [HIGH] CWE-674 Parse Server has a query condition depth bypass via pre-validation transform pipeline
Parse Server has a query condition depth bypass via pre-validation transform pipeline
### Impact
An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.
### Patches
The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.
### Workarounds
None.
GHSA
Parse Server crash via deeply nested query condition operators
ghsa·2026-03-17
CVE-2026-32944 [HIGH] CWE-674 Parse Server crash via deeply nested query condition operators
Parse Server crash via deeply nested query condition operators
### Impact
An unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients.
### Patches
A depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app.
### Workarounds
None.
OSV
Parse Server crash via deeply nested query condition operators
osv·2026-03-17
CVE-2026-32944 [HIGH] Parse Server crash via deeply nested query condition operators
Parse Server crash via deeply nested query condition operators
### Impact
An unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients.
### Patches
A depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app.
### Workarounds
None.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32944 [HIGH] CVE-2026-32944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32944 :
JavaScript vulnerability analysis and mitigation
requestComplexity.queryDepth
Source : NVD
## 8.7
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
C
Wiz
CVE-2026-33498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33498 [HIGH] CVE-2026-33498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33498 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
Source : NVD
## 8.7
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation P
2026-03-18
Published