CVE-2026-34784 Overview
Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, contains an authorization bypass vulnerability in its file download handling. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g., the default GridFS adapter). This allows unauthorized access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser.
Critical Impact
Attackers can bypass file access controls and download protected files without authentication by using HTTP Range requests on Parse Server instances with streaming-capable storage adapters.
Affected Products
- Parse Server versions prior to 8.6.71
- Parse Server versions prior to 9.7.1-alpha.1
- Installations using streaming-capable storage adapters (e.g., GridFS)
Discovery Timeline
- March 31, 2026 - CVE-2026-34784 published to NVD
- April 1, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34784
Vulnerability Analysis
This authorization bypass vulnerability (CWE-285: Improper Authorization) affects Parse Server's file routing mechanism when handling HTTP Range requests. The vulnerability exists in the FilesRouter.js component, where streaming file downloads fail to invoke the afterFind(Parse.File) trigger that normally validates file access permissions.
When a client makes a standard file download request, Parse Server correctly processes the request through its authorization pipeline, including afterFind triggers and validators like requireUser. However, when a client initiates an HTTP Range request (commonly used for partial content downloads or resume functionality), the streaming code path circumvents these authorization checks entirely.
This architectural oversight means that any file stored on a streaming-capable storage adapter, such as the default GridFS adapter, can be accessed without proper authentication or authorization validation.
Root Cause
The root cause lies in the FilesRouter.js component's handling of streaming file downloads. The streaming code path was implemented without properly integrating the Auth module and authorization trigger chain. When processing Range requests, the router directly streams file content to the client without first verifying that the requesting user has appropriate permissions through the afterFind trigger system.
Attack Vector
The attack vector is network-based and requires no user interaction. An unauthenticated attacker can exploit this vulnerability by sending HTTP Range requests to file endpoints on a vulnerable Parse Server instance. The attack is straightforward:
- Identify a Parse Server instance with file storage enabled
- Craft HTTP requests with a Range header to file endpoints
- The server bypasses afterFind trigger authorization and streams the file content
- Protected files are downloaded without authentication
// Security patch in src/Routers/FilesRouter.js - Adding Auth module import
import logger from '../logger';
const triggers = require('../triggers');
const Utils = require('../Utils');
+const auth = require('../Auth');
import { createSanitizedHttpError } from '../Error';
export class FilesRouter {
Source: Parse Server Commit 053109b
The patch introduces the Auth module import to ensure proper authentication and authorization checks are performed during streaming file downloads.
Detection Methods for CVE-2026-34784
Indicators of Compromise
- Unusual file download activity from unauthenticated sessions
- HTTP requests with Range headers targeting file storage endpoints without accompanying session tokens
- Access logs showing file downloads that bypass normal authentication patterns
- Increased bandwidth consumption from file endpoints without corresponding authenticated user activity
Detection Strategies
- Monitor HTTP access logs for Range requests to /files/ endpoints that lack authentication headers or session tokens
- Implement alerting on file access attempts that do not correlate with authenticated user sessions
- Review Parse Server logs for file access events that bypass the afterFind trigger chain
- Deploy web application firewall (WAF) rules to flag suspicious Range request patterns
Monitoring Recommendations
- Enable detailed logging for all file storage adapter operations
- Implement anomaly detection for file download patterns, particularly focusing on Range request usage
- Monitor for unauthorized access to files that should be protected by requireUser validators
- Set up alerts for high-volume file downloads from single IP addresses without authentication
How to Mitigate CVE-2026-34784
Immediate Actions Required
- Upgrade Parse Server to version 8.6.71 or later for the 8.x branch
- Upgrade Parse Server to version 9.7.1-alpha.1 or later for the 9.x branch
- Audit file access logs for any unauthorized downloads that may have occurred prior to patching
- Review all files protected by afterFind triggers to assess potential data exposure
Patch Information
Security patches have been released by the Parse Server maintainers. The fixes are available in versions 8.6.71 and 9.7.1-alpha.1. The patches ensure that the Auth module is properly integrated into the streaming file download code path, enabling correct authorization validation for Range requests.
Relevant security resources:
- GitHub Security Advisory GHSA-hpm8-9qx6-jvwv
- Parse Server Pull Request #10361
- Parse Server Pull Request #10362
Workarounds
- Disable HTTP Range request support at the reverse proxy or load balancer level until patching is complete
- Implement additional network-level access controls to restrict file endpoint access to authenticated networks
- Consider temporarily disabling streaming storage adapters in favor of non-streaming alternatives if patching cannot be immediately applied
- Deploy WAF rules to reject Range requests to Parse Server file endpoints
# Example nginx configuration to block Range requests to Parse Server files
location /parse/files/ {
if ($http_range) {
return 403;
}
proxy_pass http://parse-server:1337;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
