PatchSiren cyber security CVE debrief
CVE-2026-50008 parse-community CVE debrief
CVE-2026-50008 is a security bypass vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. However, the check is only enforced as Express middleware against the outer HTTP request URL, allowing an external caller whose outer route matches batch to issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3.
- Vendor
- parse-community
- Product
- parse-server
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Parse Server from version 9.8.0 to before version 9.9.1-alpha.3 should apply the patch to prevent potential security bypass.
Technical summary
The vulnerability exists in the routeAllowList server option in Parse Server. The option restricts external client access to a configured list of REST API routes. However, the check is only enforced as Express middleware against the outer HTTP request URL. This allows an external caller whose outer route matches batch to issue batch sub-requests to any REST API route that the operator omitted from the allow-list.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the patch in version 9.9.1-alpha.3 or later.
- Review and update the routeAllowList server option to ensure it includes all necessary REST API routes.
- Monitor for potential security bypass attempts.
Evidence notes
CVE-2026-50008 has a CVSS score of 6.9 and is classified as MEDIUM severity.
Official resources
CVE-2026-50008 was published on 2026-06-12T19:16:29.187Z and has not been modified since then.