CRITICAL🇵🇱 Wersja polska

CVE-2026-30966

CVSS 10.0v3.1pub. 2026-03-10upd. 2026-03-11

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.

🤖 AI Analysis
How it works

Internal Parse Server tables that store relation field mappings (e.g., role memberships) are not properly protected against external access (CWE-284 — improper access control). An attacker, possessing only the application key, can perform CRUD operations (create, read, update, delete) on any internal relation table. By doing so, they can inject any account into a selected role (Parse Role), assuming all associated permissions. Similarly, it is possible to bypass the pointerFields CLP mechanism by directly writing to the backing table of a given Relation field.

Impact

An attacker can grant themselves full read, write, and delete permissions to classes protected by Class-Level Permissions (CLP) based on roles, effectively taking control of the application's data. It is also possible to completely bypass other access control mechanisms based on pointer fields (pointerFields CLP).

Mitigation & patch

Parse Server should be updated to version 9.5.2-alpha.7 (9.x branch) or 8.6.20 (8.x branch), in which the vulnerability has been fixed. Patches are available in the vendor's references on GitHub.

Who is affected

Parse Server (Parseplatform parse-server) in versions prior to 9.5.2-alpha.7 and prior to 8.6.20

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
  • Parseplatform Parse Server

    APP
    Parseplatform
    9.5.2< 8.6.209.0.0 – 9.5.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-34532CRITICAL9.1PL ✓ten sam produkt

Parse Server: obejście walidatorów Cloud Functions przez prototype chain

CVE-2026-32248CRITICAL9.3PL ✓ten sam produkt

Parse Server — przejęcie konta przez manipulację zapytaniem (Auth Bypass)

CVE-2026-32242CRITICAL9.1PL ✓ten sam produkt

Race condition w Parse Server — błędna walidacja tokenów OAuth2

CVE-2026-31871CRITICAL9.3PL ✓ten sam produkt

SQL Injection w Parse Server (PostgreSQL) — operacje Increment na polach zagnieżdżonych

CVE-2026-31856CRITICAL9.3PL ✓ten sam produkt

SQL Injection w Parse Server (PostgreSQL) — operacje Increment na zagnieżdżonych polach