Parse Server, an open-source backend platform running on Node.js, suffered a critical authorization bypass vulnerability identified as CVE-2026-34532. The issue arises when Cloud Function handlers are declared using the function keyword and their validators are plain objects or arrow functions. Attackers can append "prototype.constructor" to the Cloud Function name in the URL, exploiting a discrepancy in how the server resolves the handler and validator through prototype chain traversal. Specifically, the handler resolution follows its prototype chain, while the validator does not, resulting in the validator's access control checks being bypassed. This flaw allows unauthenticated users to invoke Cloud Functions that should be protected by validators such as requireUser, requireMaster, or custom logic, effectively bypassing intended authorization controls. The vulnerability affects parse-server versions prior to 8.6.67 and versions from 9.0.0 up to but not including 9.7.0-alpha.11. The issue has been patched in versions 8.6.67 and 9.7.0-alpha.11. The CVSS 4.0 base score is 9.1, reflecting a critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity. Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the ease of exploitation and potential for unauthorized access to sensitive backend functions.

The vulnerability allows unauthenticated attackers to bypass critical access controls on Cloud Functions within parse-server, potentially leading to unauthorized execution of backend logic. This can result in unauthorized data access, modification, or deletion, compromising confidentiality and integrity of data managed by the affected applications. Since Cloud Functions often handle sensitive operations such as user authentication, data processing, or administrative tasks, exploitation could lead to privilege escalation, data breaches, or service manipulation. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Organizations relying on parse-server for backend services may face severe operational and reputational damage if this vulnerability is exploited, especially in environments handling sensitive or regulated data.

Organizations should immediately upgrade parse-server to version 8.6.67 or later, or to 9.7.0-alpha.11 or later, where the vulnerability is patched. In addition to upgrading, review all Cloud Functions and their validators to ensure they do not rely on vulnerable patterns such as function keyword declarations with plain object or arrow function validators. Implement strict input validation and URL sanitization to detect and block attempts to append prototype chain traversal strings like "prototype.constructor". Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect anomalous URL patterns targeting Cloud Functions. Conduct thorough security testing, including penetration testing focused on authorization bypass scenarios. Monitor logs for suspicious access patterns to Cloud Functions, especially those invoked without authentication. Finally, maintain an up-to-date inventory of parse-server versions deployed across environments to ensure timely patching.