CVE-2026-32594

Description

### Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. ### Patches The unfinished GraphQL WebSocket subscription feature has been removed, including the `createSubscriptions` method and the `subscriptions-transport-ws` dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types. ### Workarounds Block WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule.

How to fix CVE-2026-32594

To remediate CVE-2026-32594, upgrade the affected package to a fixed version below.

• —upgrade to 8.6.40 or later
• —upgrade to 9.6.0-alpha.14 or later

Is CVE-2026-32594 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 8.6.40, >= 9.0.0, < 9.6.0
• >= 9.0.0, < 9.6.0-alpha.14

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32594
• PATCHgithub.com/parse-community/parse-server
• WEBgithub.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3
• WEBgithub.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375