PatchSiren cyber security CVE debrief
CVE-2026-47138 parse-community CVE debrief
CVE-2026-47138 is a HIGH-severity vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
- Vendor
- parse-community
- Product
- parse-server
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Parse Server, especially those running production deployments with the default configuration, should be aware of this vulnerability and take action to patch their installations.
Technical summary
The vulnerability allows an unauthenticated attacker to submit a malicious HTTP request that triggers polynomial backtracking in the request-header parser, consuming significant CPU resources and potentially leading to denial-of-service (DoS) attacks.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Parse Server version 8.6.77 or 9.9.1-alpha.1 or later.
- Review and adjust the configuration of your Parse Server installation to prevent exploitation.
Evidence notes
The vulnerability is patched in versions 8.6.77 and 9.9.1-alpha.1. Users can refer to the official CVE record [cve-org] and NVD detail [nvd] for more information.
Official resources
CVE-2026-47138 was published on 2026-06-12T19:16:28.257Z and has not been modified since then.