Impact The GraphQL API endpoint does not respect the "allowOrigin" server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured "allowOrigin" restriction. Patches The GraphQL API endpoint now uses the same CORS middleware as the REST API, ensuring the "allowOrigin" and "allowHeaders" server options are consistently enforced across all endpoints. Workarounds There is no known workaround other than upgrading. Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10334 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10335