Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4.
Published: 2026-03-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker in possession of a readOnlyMasterKey to send a POST request to the /loginAs endpoint of Parse Server, causing the server to issue an authentication token for any specified user. The resulting token grants the attacker full read and write access to that user's data, thereby bypassing the intended partial‑read restriction of the key. This is a classic permission‑check bypass (CWE‑863).

Affected Systems

All deployments of parse-community:parse-server that are running a version earlier than 8.6.6 or earlier than 9.5.0‑alpha.4 are affected. The flaw is independent of operating system or host, so any installation that uses the readOnlyMasterKey before these releases is vulnerable.

Risk and Exploitability

The vulnerability scores 8.5 on CVSS, reflecting a high severity, while the EPSS probability is less than 1 %, indicating that exploitation is currently unlikely but still feasible. The flaw is not listed in CISA’s KEV catalog. Because the attack is performed remotely by issuing an HTTP request to an exposed endpoint, an attacker who can obtain or compromise the readOnlyMasterKey can impersonate any user without requiring local access or additional credentials.

Generated by OpenCVE AI on April 16, 2026 at 11:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.6 or later, or to 9.5.0‑alpha.4 or a later release that contains the fix.
  • If an upgrade cannot be applied immediately, remove or disable the readOnlyMasterKey from the server configuration to prevent accidental misuse.
  • Apply any additional security patches that address authentication or endpoint exposure issues, and verify that the /loginAs endpoint and master key handling adhere to proper role‑based access controls.

Generated by OpenCVE AI on April 16, 2026 at 11:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-79wj-8rqv-jvp5 parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
History

Wed, 11 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 06 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4.
Title Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:20.896Z

Reserved: 2026-03-04T17:23:59.797Z

Link: CVE-2026-30229

cve-icon Vulnrichment

Updated: 2026-03-09T20:29:47.388Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:16.920

Modified: 2026-03-11T12:37:47.227

Link: CVE-2026-30229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses