CVE-2026-47248
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
Parse Server prior to versions 8.6.78 and 9.9.1-alpha.2 discloses schema metadata through GraphQL validation-error messages, allowing unauthenticated users to reconstruct class and field names.
Risk Assessment
Unauthenticated users may exploit this vulnerability to gain insights into the application's structure, increasing the risk of attacks on the system.
Recommendation
It is recommended to update Parse Server to versions 8.6.78 or 9.9.1-alpha.2 to mitigate this vulnerability.
Original NVD description (English source)
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.

