CVE-2026-50008: parse-server: Server option routeAllowList is bypassable through batch sub-requests

June 19, 2026

The routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list.

Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed.

References

github.com/advisories/GHSA-p84r-h6rx-f2xr
github.com/parse-community/parse-server/pull/10482
github.com/parse-community/parse-server/security/advisories/GHSA-p84r-h6rx-f2xr
nvd.nist.gov/vuln/detail/CVE-2026-50008

Code Behaviors & Features

Detect and mitigate CVE-2026-50008 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →