parse-community parse-server up to 8.6.77/9.9.1-alpha.1 GraphQL Endpoint information exposure

Summaryinfo

A vulnerability, which was classified as problematic, was found in parse-community parse-server up to 8.6.77/9.9.1-alpha.1. This affects an unknown part of the component GraphQL Endpoint. The manipulation results in information exposure. This vulnerability is known as CVE-2026-47248. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in parse-community parse-server up to 8.6.77/9.9.1-alpha.1. It has been classified as problematic. Affected is some unknown functionality of the component GraphQL Endpoint. The manipulation with an unknown input leads to a information exposure vulnerability. CWE is classifying the issue as CWE-209. The product generates an error message that includes sensitive information about its environment, users, or associated data. This is going to have an impact on confidentiality. CVE summarizes:

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.

The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-47248 since 05/19/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

Upgrading to version 8.6.78 or 9.9.1-alpha.2 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-36534). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• parse-community

Name

• parse-server

Version

• 8.6.0
• 8.6.1
• 8.6.2
• 8.6.3
• 8.6.4
• 8.6.5
• 8.6.6
• 8.6.7
• 8.6.8
• 8.6.9
• 8.6.10
• 8.6.11
• 8.6.12
• 8.6.13
• 8.6.14
• 8.6.15
• 8.6.16
• 8.6.17
• 8.6.18
• 8.6.19
• 8.6.20
• 8.6.21
• 8.6.22
• 8.6.23
• 8.6.24
• 8.6.25
• 8.6.26
• 8.6.27
• 8.6.28
• 8.6.29
• 8.6.30
• 8.6.31
• 8.6.32
• 8.6.33
• 8.6.34
• 8.6.35
• 8.6.36
• 8.6.37
• 8.6.38
• 8.6.39
• 8.6.40
• 8.6.41
• 8.6.42
• 8.6.43
• 8.6.44
• 8.6.45
• 8.6.46
• 8.6.47
• 8.6.48
• 8.6.49
• 8.6.50
• 8.6.51
• 8.6.52
• 8.6.53
• 8.6.54
• 8.6.55
• 8.6.56
• 8.6.57
• 8.6.58
• 8.6.59
• 8.6.60
• 8.6.61
• 8.6.62
• 8.6.63
• 8.6.64
• 8.6.65
• 8.6.66
• 8.6.67
• 8.6.68
• 8.6.69
• 8.6.70
• 8.6.71
• 8.6.72
• 8.6.73
• 8.6.74
• 8.6.75
• 8.6.76
• 8.6.77
• 9.9.1-alpha.0
• 9.9.1-alpha.1

Website

• Product: https://github.com/parse-community/parse-server/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion