Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.
Published: 2026-03-07
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to file metadata via endpoint bypass
Action: Apply Patch
AI Analysis

Impact

The flaw resides in the file metadata endpoint of Parse Server, where the beforeFind and afterFind triggers are not enforced for GET /files/:appId/metadata/:filename requests. This bypass allows an unauthenticated user to retrieve metadata for any file regardless of the access-control logic encoded in the triggers, exposing potentially sensitive information such as filenames, sizes, or storage location. The weakness is characterized as an unauthorized access flaw (CWE-862).

Affected Systems

Parse Server versions earlier than 8.6.9 and 9.5.0-alpha.9 are impacted, regardless of the underlying operating system or infrastructure, provided Node.js is available. The vulnerability is tied to the open-source backend code maintained by the parse-community project.

Risk and Exploitability

The CVSS v3 score of 6.3 indicates a medium severity, while the EPSS score of less than 1% reflects a very low likelihood of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog, which further reduces immediate threat. An attacker must know the target appId and filename to trigger the endpoint, but no additional authentication is required, so the attack vector is effectively remote and directly exploitable by issuing a crafted HTTP GET request. The lack of trigger enforcement can lead to exposure of file metadata but does not directly grant file content access.

Generated by OpenCVE AI on April 16, 2026 at 10:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.9 or newer, or to version 9.5.0-alpha.9 or newer, where the metadata endpoint enforces the beforeFind and afterFind authorization logic.
  • If an upgrade cannot be performed immediately, restrict external access to the metadata endpoint (e.g., via firewall rules or API gateway configurations) to only trusted internal IP ranges or authenticated sources.
  • Verify that the beforeFind and afterFind triggers remain correctly configured as access-control gates after any change, and run penetration tests to confirm that file metadata is no longer publicly accessible.

Generated by OpenCVE AI on April 16, 2026 at 10:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hwx8-q9cg-mqmc Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
History

Tue, 10 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:-:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Sat, 07 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.
Title Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:25:10.263Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30850

cve-icon Vulnrichment

Updated: 2026-03-09T17:38:47.949Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T17:15:52.367

Modified: 2026-03-10T16:55:09.270

Link: CVE-2026-30850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses