PatchSiren cyber security CVE debrief
CVE-2026-47248 parse-community CVE debrief
CVE-2026-47248 is a vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure running Node.js. The vulnerability affects the GraphQL endpoint, which discloses schema metadata to unauthenticated callers through 'Did you mean ...?' suggestions embedded in GraphQL validation-error messages. This allows an unauthenticated caller with only the public application ID to iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. The issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.
- Vendor
- parse-community
- Product
- parse-server
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Parse Server, especially those who have exposed the GraphQL endpoint to unauthenticated callers, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.9 and is classified as medium-severity. It can be exploited by unauthenticated callers, and the attack vector is network-based. The vulnerability has been patched in versions 8.6.78 and 9.9.1-alpha.2 of Parse Server.
Defensive priority
medium
Recommended defensive actions
- Upgrade to Parse Server version 8.6.78 or 9.9.1-alpha.2 or later.
- Restrict access to the GraphQL endpoint to authenticated callers only.
- Monitor the GraphQL endpoint for suspicious activity.
Evidence notes
The vulnerability was reported through the GitHub security advisory program. The CVE record and NVD detail pages provide additional information about the vulnerability.
Official resources
CVE-2026-47248 was published on 2026-06-12T19:16:28.713Z and has not been modified since then.