CVE-2026-50008
published 2026-06-12CVE-2026-50008: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the…
PriorityP346medium6.9CVSS 4.0
AVNACLATNPRNUINVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.34%
26.1th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 9.8.0 < 9.9.1-alpha.3 | 9.9.1-alpha.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
parse-server: Server option routeAllowList is bypassable through batch sub-requests
ghsa·2026-06-19
CVE-2026-50008 [MEDIUM] CWE-863 parse-server: Server option routeAllowList is bypassable through batch sub-requests
parse-server: Server option routeAllowList is bypassable through batch sub-requests
### Impact
The `routeAllowList` server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the `/batch` handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches `batch` can issue batch sub-requests to any REST API route that the operator omitted from the allow-list.
Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed.
### Patches
`routeAllowList` is now re-enforced for each batch sub-request inside the batch handl
VulDB
parse-community parse-server up to 9.9.1-alpha.2 authorization (GHSA-p84r-h6rx-f2xr)
vuldb·2026-06-12·CVSS 6.9
CVE-2026-50008 [MEDIUM] parse-community parse-server up to 9.9.1-alpha.2 authorization (GHSA-p84r-h6rx-f2xr)
A vulnerability described as critical has been identified in parse-community parse-server up to 9.9.1-alpha.2. This impacts an unknown function. Such manipulation leads to incorrect authorization.
This vulnerability is documented as CVE-2026-50008. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published