Loading
Generated remediation guidance and an executive summary. No account required.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
Cite this page
CVE-2026-34573. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-34573
Use CWE-407, Parseplatform vendor hub and Parse-Server product page to widen CVE-2026-34573 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-34532, CVE-2026-34784 and CVE-2026-34215 for nearby disclosures in the same product family.