Parse Server, GraphQL CORS Bypass, Moderate Severity

By /

Listen to this Post

The GraphQL API endpoint in Parse Server versions between 3.5.0–8.6.65 and 9.0.0–9.7.0-alpha.9 fails to enforce the `allowOrigin` server configuration. While the REST API correctly validates the `Origin` header against the configured list of allowed origins, the GraphQL endpoint uses a separate CORS middleware that unconditionally adds `Access-Control-Allow-Origin: ` to responses. This allows any website to make cross-origin requests to the GraphQL API, effectively nullifying the operator’s origin restrictions. The vulnerability stems from inconsistent CORS handling between the two API layers, enabling malicious sites to read sensitive data or perform authenticated actions on behalf of users who visit the attacker’s page. The issue is addressed by replacing the GraphQL endpoint’s CORS middleware with the same logic used by the REST API, ensuring that both `allowOrigin` and `allowHeaders` settings are uniformly applied.

dailycve form:

Platform: Parse Server
Version: 3.5.0–8.6.65, 9.0.0–9.7.0-alpha.9
Vulnerability: GraphQL CORS bypass
Severity: Moderate
date: Mar 27, 2026

Prediction: Already patched (Mar27)

Analytics under What Undercode Say:

Check Parse Server version
npm list parse-server
Test GraphQL CORS misbehavior
curl -H "Origin: https://evil.com" -I https://your-parse-server/graphql | grep -i "access-control-allow-origin"
REST API (correctly restricted) for comparison
curl -H "Origin: https://evil.com" -I https://your-parse-server/parse/classes/Test | grep -i "access-control-allow-origin"

how Exploit:

1. Host malicious JavaScript on attacker-controlled domain.

  1. Victim visits the page while authenticated to Parse Server.

3. Script sends cross-origin POST/GET to `/graphql` endpoint.

  1. Server responds with Access-Control-Allow-Origin:, allowing script to read sensitive GraphQL responses.

Protection from this CVE:

  • Upgrade to Parse Server 8.6.66 or 9.7.0-alpha.10 (or later).
  • If upgrade impossible, block `/graphql` at reverse proxy level until upgrade.

Impact:

  • Complete bypass of CORS origin restrictions.
  • Unauthorized cross-origin data exfiltration.
  • Potential session hijacking via authenticated GraphQL operations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top