CVE-2026-47248
published 2026-06-12CVE-2026-47248: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse…
PriorityP342medium6.9CVSS 4.0
AVNACLATNPRNUINVCLVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.29%
20.8th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.78 | 8.6.78 |
| parse-community | parse-server | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
parse-community parse-server up to 8.6.77/9.9.1-alpha.1 GraphQL Endpoint information exposure (GHSA-8cph-rgr4-g5vj / EUVD-2026-36534)
vuldb·2026-06-12·CVSS 6.9
CVE-2026-47248 [MEDIUM] parse-community parse-server up to 8.6.77/9.9.1-alpha.1 GraphQL Endpoint information exposure (GHSA-8cph-rgr4-g5vj / EUVD-2026-36534)
A vulnerability, which was classified as problematic, has been found in parse-community parse-server up to 8.6.77/9.9.1-alpha.1. Affected by this issue is some unknown functionality of the component GraphQL Endpoint. The manipulation leads to information exposure through error message.
This vulnerability is traded as CVE-2026-47248. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
ghsa·2026-05-29
CVE-2026-47248 [MEDIUM] CWE-209 Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
### Impact
Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through `Did you mean ...?` suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This bypasses the `IntrospectionControlPlugin` enforced when `graphQLPublicIntrospection: false` (the default) and defeats the schema-hiding goal of prior advisories GHSA-48q3-prgv-gm4w and GHSA-q5q9-2rhp-33qw. Schema disclosure aids reconnaissance for downstream authorization probing but does not by
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published