CVE-2026-32594

描述

### Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. ### Patches The unfinished GraphQL WebSocket subscription feature has been removed, including the `createSubscriptions` method and the `subscriptions-transport-ws` dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types. ### Workarounds Block WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule.

受影響套件(2)

• Bitnami/parsefrom 0, < 8.6.40, >= 9.0.0, < 9.6.0
• npm/parse-server>= 9.0.0, < 9.6.0-alpha.14

CVSS 分數

參考連結(7)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32594
• PATCHhttps://github.com/parse-community/parse-server
• WEBhttps://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3
• WEBhttps://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375
• WEBhttps://github.com/parse-community/parse-server/pull/10189
• WEBhttps://github.com/parse-community/parse-server/pull/10190
• WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg