CVE-2026-34532 Parseplatform — Exploit & Vulnerability Details CRITICAL

Parameter	Value
CVSS	9.1 (CRITICAL)
Affected Versions	9.0.0 — 9.7.0
Fixed In	8.6.67
Type	CWE-863 (Incorrect Authorization)
Vendor	Parseplatform
Public PoC	No

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped.

This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

Present

Additional conditions required

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

None

No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-863 Incorrect Authorization

Vulnerable Products 12

Configuration	From (including)	Up to (excluding)
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server::::::node.js::*	—	`8.6.67`
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server::::::node.js::*	`9.0.0`	`9.7.0`
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8::::node.js::*	—	—
Parseplatform Parse-Server cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9::::node.js::*	—	—