Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.
Published: 2026-03-06
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized write operations via readOnlyMasterKey leading to potential data exfiltration
Action: Immediate Patch
AI Analysis

Impact

Parse Server’s readOnlyMasterKey is intended to grant read‑only access, yet certain API endpoints incorrectly accept this key for mutating operations. An attacker who knows the key can create, modify, and delete Cloud Hooks and start Cloud Jobs, which can be used to exfiltrate data. This flaw is classified as CWE‑863 and results in unauthorized write privileges.

Affected Systems

Any deployment of parse-community:parse-server that uses the readOnlyMasterKey option before the patches. Versions of Parse Server earlier than 8.6.4 and 9.4.1‑alpha.3 are affected. The flaw is present in all Node.js environments running those versions.

Risk and Exploitability

The vulnerability rates a CVSS score of 8.6, indicating high severity. The estimated exploitation probability is below 1 %, suggesting that current exploitation is uncommon, and it is not listed in CISA’s KEV catalog. Nevertheless, the attack vector requires knowledge of the readOnlyMasterKey, which could arise from credential compromise or insider misuse. Once exploited, the attacker gains the ability to alter deployment logic and potentially exfiltrate data, creating a high‑impact compromise with moderate likelihood of exploitation.

Generated by OpenCVE AI on April 17, 2026 at 12:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.4 or 9.4.1‑alpha.3 or later, where the flaw is fixed.
  • If an upgrade is not immediately possible, disable or remove the readOnlyMasterKey from the configuration and enforce the regular master key for all write operations.
  • Restrict or remove existing Cloud Hook and Cloud Job endpoints that allow mutation with readOnlyMasterKey; revoke any hooks or jobs created with the compromised key.
  • As a temporary control, isolate the Parse Server behind stricter network boundaries, monitor for suspicious job executions, and rotate authentication keys to limit potential abuse.

Generated by OpenCVE AI on April 17, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vc89-5g3r-cmhh Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.4.1:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.4.1:alpha2:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 06 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.
Title Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:21.169Z

Reserved: 2026-03-04T14:44:00.713Z

Link: CVE-2026-29182

cve-icon Vulnrichment

Updated: 2026-03-09T20:29:52.688Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:15.137

Modified: 2026-03-10T19:53:34.383

Link: CVE-2026-29182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses