Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ww53-ctcz-r7bp
Vulnerability ID VCID-ww53-ctcz-r7bp
Aliases CVE-2026-32944
GHSA-9xp9-j92r-p88v
Summary Parse Server crash via deeply nested query condition operators ### Impact An unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. ### Patches A depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. ### Workarounds None.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-674 Uncontrolled Recursion
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-32944
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-32944
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-32944
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-9xp9-j92r-p88v
cvssv4 8.7 https://github.com/parse-community/parse-server
generic_textual HIGH https://github.com/parse-community/parse-server
cvssv4 8.7 https://github.com/parse-community/parse-server/pull/10202
generic_textual HIGH https://github.com/parse-community/parse-server/pull/10202
ssvc Track https://github.com/parse-community/parse-server/pull/10202
cvssv4 8.7 https://github.com/parse-community/parse-server/pull/10203
generic_textual HIGH https://github.com/parse-community/parse-server/pull/10203
ssvc Track https://github.com/parse-community/parse-server/pull/10203
cvssv3.1_qr HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v
cvssv4 8.7 https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v
generic_textual HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2026-32944
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-32944
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-32944
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/pull/10202
https://github.com/parse-community/parse-server/pull/10203
https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v
https://nvd.nist.gov/vuln/detail/CVE-2026-32944
GHSA-9xp9-j92r-p88v https://github.com/advisories/GHSA-9xp9-j92r-p88v
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10202
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/ Found at https://github.com/parse-community/parse-server/pull/10202
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10203
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/ Found at https://github.com/parse-community/parse-server/pull/10203
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32944
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.05612
EPSS Score 0.0002
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:57:06.464884+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9xp9-j92r-p88v/GHSA-9xp9-j92r-p88v.json 38.6.0