CVE-2026-30854: Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

March 9, 2026

When graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected.

References

github.com/advisories/GHSA-q5q9-2rhp-33qw
github.com/parse-community/parse-server
github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw
nvd.nist.gov/vuln/detail/CVE-2026-30854

Code Behaviors & Features

Detect and mitigate CVE-2026-30854 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →