CVE-2026-50008: CWE-863: Incorrect Authorization in parse-community parse-server
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
AI Analysis
Technical Summary
Parse Server's routeAllowList option is intended to restrict external client access to configured REST API routes by enforcing checks as Express middleware on the outer HTTP request URL. However, for the /batch handler, which dispatches multiple sub-requests internally, the allow-list check is not re-applied to each sub-request. This allows an external attacker whose outer route matches /batch to issue sub-requests to any REST API route not included in the allow-list, effectively bypassing the route firewall. Despite this bypass, other authorization mechanisms such as authentication, ACL, and CLP remain enforced. The vulnerability affects versions from 9.8.0 up to but excluding 9.9.1-alpha.3 and has been patched in 9.9.1-alpha.3.
Potential Impact
An attacker can bypass the operator-configured routeAllowList firewall by sending batch requests, potentially accessing REST API routes that were intended to be restricted. However, the attacker's access is still subject to existing authentication and authorization controls, limiting the impact to bypassing only the routeAllowList restriction.
Mitigation Recommendations
A fix is available in parse-server version 9.9.1-alpha.3. Users should upgrade to this version or later to address the vulnerability. No other specific mitigation is indicated.
CVE-2026-50008: CWE-863: Incorrect Authorization in parse-community parse-server
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
CVSS v4.0
Score 6.9medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Parse Server's routeAllowList option is intended to restrict external client access to configured REST API routes by enforcing checks as Express middleware on the outer HTTP request URL. However, for the /batch handler, which dispatches multiple sub-requests internally, the allow-list check is not re-applied to each sub-request. This allows an external attacker whose outer route matches /batch to issue sub-requests to any REST API route not included in the allow-list, effectively bypassing the route firewall. Despite this bypass, other authorization mechanisms such as authentication, ACL, and CLP remain enforced. The vulnerability affects versions from 9.8.0 up to but excluding 9.9.1-alpha.3 and has been patched in 9.9.1-alpha.3.
Potential Impact
An attacker can bypass the operator-configured routeAllowList firewall by sending batch requests, potentially accessing REST API routes that were intended to be restricted. However, the attacker's access is still subject to existing authentication and authorization controls, limiting the impact to bypassing only the routeAllowList restriction.
Mitigation Recommendations
A fix is available in parse-server version 9.9.1-alpha.3. Users should upgrade to this version or later to address the vulnerability. No other specific mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-02T22:46:02.578Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c5612e617e2d834b0f371
Added to database: 6/12/2026, 6:55:14 PM
Last enriched: 6/12/2026, 7:10:25 PM
Last updated: 6/12/2026, 9:29:54 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.