#VU125004 Missing Authentication for Critical Function in Parse Server - CVE-2026-32594
Published: April 6, 2026
Vulnerability identifier: #VU125004
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-32594
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Parse Server
Parse Server
Software vendor:
Parse Community
Parse Community
Description
The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.
The vulnerability exists due to missing authentication for the GraphQL WebSocket endpoint for subscriptions when handling WebSocket connections. A remote attacker can connect to the endpoint and send GraphQL operations to disclose sensitive information and cause a denial of service.
The issue also allows access to the GraphQL schema via introspection even when public introspection is disabled, and configured query complexity limits are bypassed.
Remediation
Install security update from vendor's website.