CVE
CVE-2026-32886
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
Impact
Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.
Patches
The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.
Workarounds
There is no known workaround.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Related Resources
No items found.
References
https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4, https://nvd.nist.gov/vuln/detail/CVE-2026-32886, https://github.com/parse-community/parse-server/pull/10210, https://github.com/parse-community/parse-server/pull/10211, https://github.com/parse-community/parse-server
Basic Information
Ecosystem
