Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 1de4e43
Author: Manuel
Date: 2026-03-09T03:41:12Z
Commit Message
fix: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes ([GHSA-7xg7-rqf6-pw6c](https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c)) (#10151)
Pull Request
PR: #10151 - fix: Classes _GraphQLConfig and _Audience master key bypass via generic class routes (GHSA-7xg7-rqf6-pw6c)
Labels: state:released-alpha
Description:
Pull Request
Issue
Classes _GraphQLConfig and _Audience master key bypass via generic class routes ([GHSA-7xg7-rqf6-pw6c](GHSA-7xg7-rqf6-pw6c))
Tasks
<!-- Check completed tasks and de...
Analysis
Vulnerability Type: Privilege Escalation / Authentication Bypass
Severity: High
Description
Before the patch, the internal classes '_GraphQLConfig' and '_Audience' could be accessed and modified via generic class REST routes without requiring the master key, allowing unauthorized users to bypass access controls and escalate privileges. The patch enforces master key requirements on these classes, preventing unauthorized create, read, update, and delete operations through the REST API.
Affected Code
const classesWithMasterOnlyAccess = [
'_PushStatus',
'_Hooks',
'_GlobalConfig',
'_JobSchedule',
'_Idempotency',
];
Proof of Concept
Perform the following HTTP request (without master key) to create an object in the '_Audience' class:
POST /1/classes/_Audience
Headers:
X-Parse-Application-Id: test
X-Parse-REST-API-Key: rest
Content-Type: application/json
Body:
{ "name": "malicious", "query": "{}" }
Expected behavior before patch: Request succeeds and object is created without master key.
Expected behavior after patch: Request fails with error code Parse.Error.OPERATION_FORBIDDEN, denying access without master key.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-09T06:00:57.552Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 1de4e43
Author: Manuel
Date: 2026-03-09T03:41:12Z
Commit Message
Pull Request
PR: #10151 - fix: Classes
_GraphQLConfigand_Audiencemaster key bypass via generic class routes (GHSA-7xg7-rqf6-pw6c)Labels: state:released-alpha
Description:
Pull Request
Issue
Classes
_GraphQLConfigand_Audiencemaster key bypass via generic class routes ([GHSA-7xg7-rqf6-pw6c](GHSA-7xg7-rqf6-pw6c))Tasks
<!-- Check completed tasks and de...
Analysis
Vulnerability Type: Privilege Escalation / Authentication Bypass
Severity: High
Description
Before the patch, the internal classes '_GraphQLConfig' and '_Audience' could be accessed and modified via generic class REST routes without requiring the master key, allowing unauthorized users to bypass access controls and escalate privileges. The patch enforces master key requirements on these classes, preventing unauthorized create, read, update, and delete operations through the REST API.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-09T06:00:57.552Z