CVE-2026-34373
GraphQL API endpoint ignores CORS origin restriction
Description
### Impact The GraphQL API endpoint does not respect the `allowOrigin` server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured `allowOrigin` restriction. ### Patches The GraphQL API endpoint now uses the same CORS middleware as the REST API, ensuring the `allowOrigin` and `allowHeaders` server options are consistently enforced across all endpoints. ### Workarounds There is no known workaround other than upgrading. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10334 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10335
How to fix CVE-2026-34373
To remediate CVE-2026-34373, upgrade the affected package to a fixed version below.
- —upgrade to 8.6.66 or later
- —upgrade to 9.7.0-alpha.10 or later
Is CVE-2026-34373 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 8.6.66, >= 9.0.0, < 9.7.0
- >= 9.0.0, < 9.7.0-alpha.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |