CVE-2026-34784: Parser Server's streaming file download bypasses afterFind file trigger authorization
File downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser.
References
- github.com/advisories/GHSA-hpm8-9qx6-jvwv
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337
- github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22
- github.com/parse-community/parse-server/pull/10361
- github.com/parse-community/parse-server/pull/10362
- github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv
- nvd.nist.gov/vuln/detail/CVE-2026-34784
Code Behaviors & Features
Detect and mitigate CVE-2026-34784 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →