CVE-2026-31800: Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
The _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data.
References
- github.com/advisories/GHSA-7xg7-rqf6-pw6c
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.25
- github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12
- github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c
- nvd.nist.gov/vuln/detail/CVE-2026-31800
Code Behaviors & Features
Detect and mitigate CVE-2026-31800 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →