Parse Server is an open-source backend framework that runs on Node.js and provides REST API endpoints for managing application data and configurations. CVE-2026-31800 is a vulnerability classified under CWE-862 (Missing Authorization) affecting parse-server versions >= 9.0.0 and < 9.5.2-alpha.12, as well as versions below 8.6.25. The issue arises because the internal classes _GraphQLConfig and _Audience, which control GraphQL configurations and push notification audience data respectively, are accessible via generic REST API routes (/classes/_GraphQLConfig and /classes/_Audience) without enforcing master key authentication. This is in contrast to the dedicated endpoints (/graphql-config and /push_audiences) that do enforce master key checks. As a result, an unauthenticated attacker can read sensitive configuration data, modify it, or delete it entirely, potentially disrupting application functionality or exposing sensitive information. The vulnerability does not require any privileges or user interaction, making it trivially exploitable remotely over the network. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, with high impact on integrity and confidentiality, and low impact on availability. The flaw was fixed in parse-server versions 9.5.2-alpha.12 and 8.6.25. No public exploits have been reported yet, but the ease of exploitation and high impact make this a critical issue for affected deployments.

The vulnerability allows attackers to bypass master key authentication and gain unauthorized access to critical internal configuration data. This can lead to unauthorized disclosure of sensitive GraphQL schema and push audience information, compromising confidentiality. Attackers can also modify or delete these configurations, potentially causing denial of service or manipulation of application behavior, impacting integrity and availability. Organizations relying on parse-server for backend services may face data breaches, service disruptions, or loss of user trust. Since no authentication is required, automated attacks can be launched at scale, increasing the risk of widespread exploitation. The impact is particularly severe for applications that use GraphQL extensively or rely on push notifications for user engagement, as attackers can alter these mechanisms to their advantage.

The primary mitigation is to upgrade parse-server to version 9.5.2-alpha.12 or later, or 8.6.25 or later, where the authorization checks on the generic REST API routes have been properly enforced. Until upgrades can be applied, organizations should implement network-level access controls to restrict access to parse-server REST API endpoints, especially the /classes/_GraphQLConfig and /classes/_Audience routes. Deploying Web Application Firewalls (WAFs) with rules to block unauthorized access to these endpoints can reduce exposure. Additionally, monitoring API access logs for unusual or unauthorized requests targeting these internal classes can help detect exploitation attempts early. Developers should audit custom API routes and ensure that all sensitive endpoints enforce proper authentication and authorization. Finally, consider isolating parse-server instances behind VPNs or private networks to limit exposure to untrusted actors.