CVE-2026-34532: parse-server has cloud function validator bypass via prototype chain traversal
An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped.
This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic.
References
- github.com/advisories/GHSA-vpj2-qq7w-5qq6
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7
- github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674
- github.com/parse-community/parse-server/pull/10342
- github.com/parse-community/parse-server/pull/10343
- github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6
- nvd.nist.gov/vuln/detail/CVE-2026-34532
Code Behaviors & Features
Detect and mitigate CVE-2026-34532 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →