CVE Catalog

CVE-2026-47248

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.51%

39th percentile — higher than 39% of all known CVEs

Summary

Parse Server prior to versions 8.6.78 and 9.9.1-alpha.2 discloses schema metadata through GraphQL validation-error messages, allowing unauthenticated users to reconstruct class and field names.

Risk Assessment

Unauthenticated users may exploit this vulnerability to gain insights into the application's structure, increasing the risk of attacks on the system.

Recommendation

It is recommended to update Parse Server to versions 8.6.78 or 9.9.1-alpha.2 to mitigate this vulnerability.

Original NVD description (English source)

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS