CVE-2026-32594: Parse Server's GraphQL WebSocket endpoint bypasses security middleware
(updated )
Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits.
References
- github.com/advisories/GHSA-p2x3-8689-cwpg
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3
- github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375
- github.com/parse-community/parse-server/pull/10189
- github.com/parse-community/parse-server/pull/10190
- github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg
- nvd.nist.gov/vuln/detail/CVE-2026-32594
Code Behaviors & Features
Detect and mitigate CVE-2026-32594 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →