CVE Database · CVE-2026-50008
CVSS v3.1
N/A
CVSS v4.0
6.9
EPSS
0.34%
Published
Jun 12, 2026
Modified
Jun 12, 2026
Public PoC / Exploit
All weaponized →No public PoC or exploit code indexed for this CVE.
Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
Weaknesses (CWE)
References (2)
