Parse Server is an open-source backend framework that runs on Node.js and supports various storage adapters, including streaming-capable ones like GridFS. The vulnerability identified as CVE-2026-34784 (CWE-285) arises from improper authorization checks during file downloads when HTTP Range requests are used. Specifically, prior to versions 8.6.71 and 9.7.1-alpha.1, the afterFind(Parse.File) trigger and its associated validators, such as requireUser, are bypassed if a client issues a partial content request (HTTP Range). This means that files intended to be protected by these authorization mechanisms can be accessed without proper permission verification. The issue is rooted in how streaming adapters handle partial content requests, allowing attackers to circumvent the normal authorization workflow. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. Although no known exploits are reported in the wild yet, the high CVSS score of 8.2 reflects the significant risk posed by this flaw. The patch fixes the authorization bypass by ensuring that afterFind triggers and validators are enforced even when HTTP Range requests are used.

This vulnerability can lead to unauthorized disclosure of sensitive files stored in parse-server backends, potentially exposing confidential user data, intellectual property, or other protected information. Since the flaw allows bypassing authorization without authentication or user interaction, attackers can remotely access restricted files simply by crafting HTTP Range requests. Organizations relying on parse-server with streaming storage adapters like GridFS are at risk of data breaches, which can result in regulatory penalties, reputational damage, and loss of customer trust. The impact is especially critical for applications handling personally identifiable information (PII), financial data, or proprietary content. Additionally, the ability to selectively download file segments via Range requests could facilitate stealthy data exfiltration. The vulnerability affects all deployments using vulnerable versions worldwide, particularly those with publicly accessible parse-server endpoints.

The primary mitigation is to upgrade parse-server to version 8.6.71 or later, or 9.7.1-alpha.1 or later, where the authorization bypass has been patched. Until upgrades can be applied, organizations should consider restricting access to parse-server endpoints through network-level controls such as IP whitelisting, VPNs, or firewall rules to limit exposure. Implementing strict authentication and authorization at the application gateway or reverse proxy can provide an additional layer of defense. Monitoring HTTP traffic for suspicious Range requests targeting file downloads may help detect exploitation attempts. Reviewing and hardening storage adapter configurations to disable streaming if not required can reduce risk. Finally, conducting security audits and penetration tests focused on file access controls in parse-server deployments is recommended to identify any residual weaknesses.