CVE-2026-35200: CWE-436: Interpretation Conflict in parse-community parse-server
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.
AI Analysis
Technical Summary
CVE-2026-35200 describes an interpretation conflict vulnerability in parse-community's parse-server where files uploaded with an allowed filename extension but a differing Content-Type header are accepted. The Content-Type header is forwarded to storage adapters without validation, causing adapters such as S3 or GCS to serve files with mismatched Content-Type headers. This can lead to inconsistent handling of files by clients. The vulnerability affects parse-server versions prior to 8.6.73 and 9.7.1-alpha.4. The default GridFS adapter is not vulnerable because it determines Content-Type based on the filename at serving time. The issue has been fixed in the specified versions.
Potential Impact
The vulnerability may cause files to be served with a Content-Type header that does not match their filename extension, potentially leading to interpretation conflicts on the client side. This could affect how browsers or other clients handle the file content, but no direct code execution or data breach is indicated. The CVSS score of 2.1 and low severity rating reflect the limited impact. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in parse-server versions 8.6.73 and 9.7.1-alpha.4. Users should upgrade to these or later versions to resolve the issue. Since this is a cloud service, the vendor manages remediation for hosted instances; users should verify with their service provider that the patch has been applied. No additional mitigation actions are specified or required.
CVE-2026-35200: CWE-436: Interpretation Conflict in parse-community parse-server
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35200 describes an interpretation conflict vulnerability in parse-community's parse-server where files uploaded with an allowed filename extension but a differing Content-Type header are accepted. The Content-Type header is forwarded to storage adapters without validation, causing adapters such as S3 or GCS to serve files with mismatched Content-Type headers. This can lead to inconsistent handling of files by clients. The vulnerability affects parse-server versions prior to 8.6.73 and 9.7.1-alpha.4. The default GridFS adapter is not vulnerable because it determines Content-Type based on the filename at serving time. The issue has been fixed in the specified versions.
Potential Impact
The vulnerability may cause files to be served with a Content-Type header that does not match their filename extension, potentially leading to interpretation conflicts on the client side. This could affect how browsers or other clients handle the file content, but no direct code execution or data breach is indicated. The CVSS score of 2.1 and low severity rating reflect the limited impact. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in parse-server versions 8.6.73 and 9.7.1-alpha.4. Users should upgrade to these or later versions to resolve the issue. Since this is a cloud service, the vendor manages remediation for hosted instances; users should verify with their service provider that the patch has been applied. No additional mitigation actions are specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T18:48:58.937Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d4982faaed68159ac9fe00
Added to database: 4/7/2026, 5:37:51 AM
Last enriched: 4/7/2026, 5:38:06 AM
Last updated: 4/8/2026, 12:46:25 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.