Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-n19y-uwm6-3udp
Vulnerability ID VCID-n19y-uwm6-3udp
Aliases CVE-2026-32594
GHSA-p2x3-8689-cwpg
Summary Parse Server's GraphQL WebSocket endpoint bypasses security middleware ### Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. ### Patches The unfinished GraphQL WebSocket subscription feature has been removed, including the `createSubscriptions` method and the `subscriptions-transport-ws` dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types. ### Workarounds Block WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-306 Missing Authentication for Critical Function
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2026-32594
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2026-32594
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2026-32594
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-p2x3-8689-cwpg
cvssv4 6.9 https://github.com/parse-community/parse-server
generic_textual MODERATE https://github.com/parse-community/parse-server
cvssv4 6.9 https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3
generic_textual MODERATE https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3
cvssv4 6.9 https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375
generic_textual MODERATE https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375
cvssv4 6.9 https://github.com/parse-community/parse-server/pull/10189
generic_textual MODERATE https://github.com/parse-community/parse-server/pull/10189
ssvc Track https://github.com/parse-community/parse-server/pull/10189
cvssv4 6.9 https://github.com/parse-community/parse-server/pull/10190
generic_textual MODERATE https://github.com/parse-community/parse-server/pull/10190
ssvc Track https://github.com/parse-community/parse-server/pull/10190
cvssv3.1_qr MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg
cvssv4 6.9 https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg
generic_textual MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2026-32594
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-32594
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-32594
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3
https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375
https://github.com/parse-community/parse-server/pull/10189
https://github.com/parse-community/parse-server/pull/10190
https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg
https://nvd.nist.gov/vuln/detail/CVE-2026-32594
GHSA-p2x3-8689-cwpg https://github.com/advisories/GHSA-p2x3-8689-cwpg
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10189
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/ Found at https://github.com/parse-community/parse-server/pull/10189
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10190
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/ Found at https://github.com/parse-community/parse-server/pull/10190
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32594
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.24851
EPSS Score 0.00086
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:57:02.465294+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p2x3-8689-cwpg/GHSA-p2x3-8689-cwpg.json 38.6.0