Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.
Published: 2026-03-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial List Bypass
Action: Patch Immediately
AI Analysis

Impact

Parse Server uses a requestKeywordDenylist to block payloads containing disallowed keywords. Prior to versions 8.6.12 and 9.5.1‑alpha.1, the denylist logic stops scanning when it first encounters a nested object or array. As a result, an attacker can place a nested structure before a blocked keyword in the JSON request, causing the denylist to be bypassed. This flaw is a protection mechanism failure (CWE‑693) and undermines the integrity protection that developers rely on.

Affected Systems

All parse‑community Parse Server deployments that run a version earlier than 8.6.12 or 9.5.1‑alpha.1 are affected. Because the requestKeywordDenylist is enabled by default, every installation that has not applied the patch is vulnerable. The software runs on any infrastructure that can host Node.js.

Risk and Exploitability

Based on the description, it is inferred that the attacker can exploit the vulnerability by sending a crafted JSON payload with a nested object or array that places a prohibited keyword after the nesting. The CVSS score of 6.9 denotes medium severity. The EPSS score of less than 1% indicates that exploitation has not been widely observed but still possible. The vulnerability is not listed in the CISA KEV catalog. If the API endpoints are reachable without authentication, an unauthenticated attacker may also use the bypass. The attack requires only network access to the Parse Server API and is straightforward to execute once the application is in use.

Generated by OpenCVE AI on April 18, 2026 at 09:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.12 or later, or to 9.5.1‑alpha.1 or newer, which includes the fix for the denylist bypass.
  • If an immediate upgrade is not possible, add a Cloud Code beforeSave trigger that inspects all incoming data for prohibited keywords across all classes and rejects or sanitizes matching payloads.
  • As a temporary containment measure, implement application‑layer checks that detect requests containing nested objects or arrays preceding banned keywords and block them before they reach Parse Server.

Generated by OpenCVE AI on April 18, 2026 at 09:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q342-9w2p-57fp Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
History

Wed, 11 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.
Title Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Weaknesses CWE-693
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:01:16.003Z

Reserved: 2026-03-07T17:34:39.978Z

Link: CVE-2026-30938

cve-icon Vulnrichment

Updated: 2026-03-10T16:57:33.737Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:53.610

Modified: 2026-03-11T19:53:02.890

Link: CVE-2026-30938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses