Vulnerability Database

301,027

Total vulnerabilities in the database

CVE-2020-15126

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.

Published: Jul 22, 2020
Updated: Nov 16, 2025
CVE: CVE-2020-15126
GHSA: GHSA-236h-rqv8-8q73
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
parseplatform / parse_server	3.5.0	4.3.0
parse-server	3.5.0	4.3.0

https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo