CVE-2026-34784
published 2026-03-31CVE-2026-34784: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.38%
29.6th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.71 | 8.6.71 |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 0 < 8.6.71 | 8.6.71 |
| parse-community | parse-server | >= 9.0.0 < 9.7.1-alpha.1 | 9.7.1-alpha.1 |
| parseplatform | parse-server | < 8.6.71 | 8.6.71 |
| parseplatform | parse-server | >= 9.0.0 < 9.7.1 | 9.7.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Parser Server's streaming file download bypasses afterFind file trigger authorization
osv·2026-04-01
CVE-2026-34784 [HIGH] Parser Server's streaming file download bypasses afterFind file trigger authorization
Parser Server's streaming file download bypasses afterFind file trigger authorization
### Impact
File downloads via HTTP Range requests bypass the `afterFind(Parse.File)` trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by `afterFind` trigger authorization logic or built-in validators such as `requireUser`.
### Patches
The streaming file download path now executes the `afterFind(Parse.File)` trigger before sending any data. Authentication is resolved from the session token header so that trigger validators can distinguish authenticated from unauthenticated requests.
### Workarounds
Use `beforeFind(Parse.File)` instead of `afterFind(Parse.File)` for file access authorization. T
GHSA
Parser Server's streaming file download bypasses afterFind file trigger authorization
ghsa·2026-04-01
CVE-2026-34784 [HIGH] CWE-285 Parser Server's streaming file download bypasses afterFind file trigger authorization
Parser Server's streaming file download bypasses afterFind file trigger authorization
### Impact
File downloads via HTTP Range requests bypass the `afterFind(Parse.File)` trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by `afterFind` trigger authorization logic or built-in validators such as `requireUser`.
### Patches
The streaming file download path now executes the `afterFind(Parse.File)` trigger before sending any data. Authentication is resolved from the session token header so that trigger validators can distinguish authenticated from unauthenticated requests.
### Workarounds
Use `beforeFind(Parse.File)` instead of `afterFind(Parse.File)` for file access authorization. T
No detection rules found.
No public exploits indexed.
https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22https://github.com/parse-community/parse-server/pull/10361https://github.com/parse-community/parse-server/pull/10362https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv
2026-03-31
Published