CVE-2026-47248

Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers

### Impact Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through `Did you mean ...?` suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This bypasses the `IntrospectionControlPlugin` enforced when `graphQLPublicIntrospection: false` (the default) and defeats the schema-hiding goal of prior advisories GHSA-48q3-prgv-gm4w and GHSA-q5q9-2rhp-33qw. Schema disclosure aids reconnaissance for downstream authorization probing but does not by itself leak object data or authentication material. ### Patches A new `SchemaSuggestionsControlPlugin` Apollo plugin strips the `Did you mean ...?` suffix from GraphQL validation-error messages during `validationDidStart`, which runs before any introspection gate. The plugin applies only when `graphQLPublicIntrospection: false` and the caller is not a master-key or maintenance-key holder, matching the trust model of the existing `IntrospectionControlPlugin`. ### Workarounds No code workaround is available short of disabling the GraphQL API (`mountGraphQL: false`). Operators who require disclosure-resistant validation errors should upgrade to a patched release. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10467 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10468