Information Exposure Affecting parse-server package, versions <8.6.78>=9.0.0-alpha.1 <9.9.1-alpha.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Information Exposure vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-PARSESERVER-17111546
- published31 May 2026
- disclosed29 May 2026
- creditoffset
Introduced: 29 May 2026
NewCVE-2026-47248 (opens in a new tab)How to fix?
Upgrade parse-server to version 8.6.78, 9.9.1-alpha.2 or higher.
Overview
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Information Exposure via the Did you mean ...? suggestions in GraphQL validation-error messages. An attacker can enumerate schema metadata, such as class names, field names, argument names, mutation names, and input-object fields, by sending malformed queries to the GraphQL endpoint.
Note:
This is only exploitable if the GraphQL API is enabled and the attacker is unauthenticated while
graphQLPublicIntrospectionis set to false.This vulnerability bypasses the IntrospectionControlPlugin enforced when graphQLPublicIntrospection: false (the default) and defeats the schema-hiding goal of prior advisories CVE-2026-30854 and CVE-2025-53364.