9.7.0 (2026-03-30)
Bug Fixes
- Auth data exposed via verify password endpoint (GHSA-wp76-gg32-8258) (#10323) (770be86)
- Batch login sub-request rate limit uses IP-based keying (#10349) (63c37c4)
- Cloud Code trigger context vulnerable to prototype pollution (#10352) (d5f5128)
- Cloud function validator bypass via prototype chain traversal (GHSA-vpj2-qq7w-5qq6) (#10342) (dc59e27)
- Duplicate session destruction can cause unhandled promise rejection (#10319) (92791c1)
- GraphQL API endpoint ignores CORS origin restriction (GHSA-q3p6-g7c4-829c) (#10334) (4dd0d3d)
- GraphQL complexity validator exponential fragment traversal DoS (GHSA-mfj6-6p54-m98c) (#10344) (f759bda)
- LiveQuery protected field leak via shared mutable state across concurrent subscribers (GHSA-m983-v2ff-wq65) (#10330) (776c71c)
- LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2) (#10350) (f63fd1a)
- Maintenance key blocked from querying protected fields (#10290) (7c8b213)
- MFA single-use token bypass via concurrent authData login requests (GHSA-w73w-g5xw-rwhf) (#10326) (e7efbeb)
- Missing error messages in Parse errors (#10304) (f128048)
- Postgres query on non-existent column throws internal server error (#10308) (c5c4325)
- Session field immutability bypass via falsy-value guard (GHSA-f6j3-w9v3-cq22) (#10347) (9080296)
Features
- Add
protectedFieldsSaveResponseExemptoption to strip protected fields from save responses (#10289) (4f7cb53) - Add
protectedFieldsTriggerExemptoption to exempt Cloud Code triggers fromprotectedFields(#10288) (1610f98) - Add support for
partialFilterExpressionin MongoDB storage adapter (#10346) (8dd7bf2) - Extend storage adapter interface to optionally return
matchedCountandmodifiedCountfromDatabaseController.updatewithmany: true(#10353) (aea7596)