CVE-2020-15126
MEDIUM6.5EPSS 0.46%GraphQL: Security breach on Viewer query
Published: 7/22/2020Modified: 3/13/2026
Also known as:GHSA-236h-rqv8-8q73
Description
### Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. ### Patches This vulnerability has been patched in Parse Server 4.3.0. ### Workarounds No ### References See [commit 78239ac](https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa) for details.
Affected packages (1)
- npm/parse-server>= 3.5.0, < 4.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (4)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-15126
- WEBhttps://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
- WEBhttps://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73