CVE-2026-35200: CWE-436: Interpretation Conflict in parse-community parse-server
A vulnerability in parse-community's parse-server prior to versions 8. 6. 73 and 9. 7. 1-alpha. 4 allows files to be uploaded with a filename extension that passes the allowlist but with a mismatched Content-Type header. This inconsistency leads to storage adapters like S3 or GCS serving files with incorrect Content-Type headers. The default GridFS adapter is not affected as it derives Content-Type from the filename when serving. This issue is fixed in the specified versions.
AI Analysis
Technical Summary
CVE-2026-35200 describes an interpretation conflict vulnerability (CWE-436) in parse-server where uploaded files can have a filename extension allowed by the system but a differing Content-Type header. The Content-Type header is passed directly to storage adapters without validation, causing adapters such as Amazon S3 or Google Cloud Storage to serve files with mismatched Content-Type headers. This can lead to incorrect content handling by clients. The vulnerability affects parse-server versions prior to 8.6.73 and 9.7.1-alpha.4. The default GridFS storage adapter is not vulnerable because it determines Content-Type based on the filename at serving time. The vulnerability has a low CVSS score of 2.1 and no known exploits in the wild.
Potential Impact
The impact is limited to files being served with an incorrect Content-Type header when using certain storage adapters (e.g., S3, GCS). This may cause clients to misinterpret the file content type, potentially leading to minor security or usability issues. There is no indication of direct code execution, privilege escalation, or data breach from this vulnerability. The default GridFS adapter is not affected.
Mitigation Recommendations
A fix is available in parse-server versions 8.6.73 and 9.7.1-alpha.4. Users should upgrade to these or later versions to resolve the issue. Since this is a cloud service, the vendor manages remediation for hosted services; users should verify with the vendor if using a managed parse-server instance. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-35200: CWE-436: Interpretation Conflict in parse-community parse-server
Description
A vulnerability in parse-community's parse-server prior to versions 8. 6. 73 and 9. 7. 1-alpha. 4 allows files to be uploaded with a filename extension that passes the allowlist but with a mismatched Content-Type header. This inconsistency leads to storage adapters like S3 or GCS serving files with incorrect Content-Type headers. The default GridFS adapter is not affected as it derives Content-Type from the filename when serving. This issue is fixed in the specified versions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35200 describes an interpretation conflict vulnerability (CWE-436) in parse-server where uploaded files can have a filename extension allowed by the system but a differing Content-Type header. The Content-Type header is passed directly to storage adapters without validation, causing adapters such as Amazon S3 or Google Cloud Storage to serve files with mismatched Content-Type headers. This can lead to incorrect content handling by clients. The vulnerability affects parse-server versions prior to 8.6.73 and 9.7.1-alpha.4. The default GridFS storage adapter is not vulnerable because it determines Content-Type based on the filename at serving time. The vulnerability has a low CVSS score of 2.1 and no known exploits in the wild.
Potential Impact
The impact is limited to files being served with an incorrect Content-Type header when using certain storage adapters (e.g., S3, GCS). This may cause clients to misinterpret the file content type, potentially leading to minor security or usability issues. There is no indication of direct code execution, privilege escalation, or data breach from this vulnerability. The default GridFS adapter is not affected.
Mitigation Recommendations
A fix is available in parse-server versions 8.6.73 and 9.7.1-alpha.4. Users should upgrade to these or later versions to resolve the issue. Since this is a cloud service, the vendor manages remediation for hosted services; users should verify with the vendor if using a managed parse-server instance. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T18:48:58.937Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d4982faaed68159ac9fe00
Added to database: 4/7/2026, 5:37:51 AM
Last enriched: 4/14/2026, 4:10:52 PM
Last updated: 5/22/2026, 3:29:20 PM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.