CVE-2026-30854
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10.
| CWE | CWE-863 |
| Vendor | parse-community |
| Product | parse-server |
| Published | Mar 7, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for parse-community parse-server
Be the first to know when new unknown vulnerabilities affecting parse-community parse-server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
parse-community / parse-server
>= 9.3.1-alpha.3, < 9.5.0-alpha.10