Parse Server is an open-source backend framework running on Node.js, widely used for building applications with GraphQL APIs. CVE-2026-32594 arises because the GraphQL WebSocket endpoint handling subscriptions does not pass requests through the Express middleware chain responsible for enforcing authentication, introspection controls, and query complexity limits. This omission means that any client can connect to the WebSocket endpoint and perform GraphQL operations without providing a valid application or API key. Additionally, the vulnerability allows attackers to perform schema introspection even when public introspection is disabled, revealing sensitive schema details. Attackers can also submit arbitrarily complex queries that bypass configured complexity limits, potentially leading to resource exhaustion and denial of service. The vulnerability affects parse-server versions >=9.0.0 and <9.6.0-alpha.14, as well as versions below 8.6.40. The issue is fixed in versions 8.6.40 and 9.6.0-alpha.14 by ensuring the WebSocket endpoint properly enforces middleware authentication and query controls. The CVSS 4.0 score is 6.9 (medium), reflecting network exploitability without authentication or user interaction, with limited confidentiality and availability impact but no integrity impact. No known exploits are currently reported in the wild.

This vulnerability allows unauthenticated remote attackers to access critical backend functions via the GraphQL WebSocket endpoint. The primary impacts include unauthorized data exposure through schema introspection, which can aid further attacks, and the ability to execute arbitrary GraphQL queries without restriction. The bypass of query complexity limits can lead to resource exhaustion, causing denial of service conditions affecting availability. Organizations relying on parse-server for backend services risk data leakage and service disruption. Since authentication is bypassed, attackers do not need valid credentials, increasing the attack surface. The impact is particularly significant for applications exposing sensitive data or operating in multi-tenant environments. While no integrity impact is noted, the confidentiality and availability risks can lead to reputational damage, regulatory non-compliance, and operational downtime.

1. Upgrade parse-server to version 8.6.40 or later, or 9.6.0-alpha.14 or later, where the vulnerability is patched. 2. If immediate upgrade is not possible, restrict network access to the GraphQL WebSocket endpoint using firewall rules or network segmentation to limit exposure to trusted clients only. 3. Implement WebSocket-level authentication proxies or gateways that enforce authentication and query complexity limits before requests reach parse-server. 4. Monitor GraphQL subscription traffic for unusual patterns, such as excessive query complexity or unexpected schema introspection requests. 5. Regularly audit parse-server configurations to ensure introspection is disabled in production environments unless explicitly required. 6. Employ rate limiting and resource quotas on GraphQL endpoints to mitigate potential denial of service attacks. 7. Educate development and operations teams about this vulnerability and ensure secure deployment practices for parse-server instances.