Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.
Published: 2026-03-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Access Control Bypass
Action: Immediate Patch
AI Analysis

Impact

Parse Server’s protected fields enforcement fails when a protected field is wrapped inside a logical operator. As a result, any authenticated user can query and retrieve values from fields that should be hidden. The vulnerability stems from an improper validation of non‑top‑level query keys and corresponds to CWE‑284. This abuse leads to unauthorized disclosure of sensitive data but does not allow code execution or privilege escalation. The impact is limited to information disclosure for authenticated users, but the breadth of the data exposed can be large, affecting data confidentiality for all deployed services.

Affected Systems

All releases of the open source Parse Server before version 8.6.19 and before 9.5.2‑alpha.6 are affected. The vulnerability applies to any deployment that uses the default protected field configuration, regardless of host infrastructure. Updated versions are 8.6.19 and 9.5.2‑alpha.6 (or later).

Risk and Exploitability

The CVSS v3 score of 7.1 indicates a high severity of design flaw. The EPSS score of less than 1% signals a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is effectively the application's query API; any authenticated user can construct a query using logical operators to trigger the bypass. Once the check is circumvented, the attacker obtains protected field data, potentially violating privacy and compliance requirements.

Generated by OpenCVE AI on April 16, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Parse Server to version 8.6.19 or 9.5.2‑alpha.6 or later, ensuring the protected fields validation patch is applied.
  • If an update is not immediately feasible, temporarily disable protected fields or restrict query usage through application‑level controls to prevent exposure.
  • Verify that the app’s integration layer does not allow unvalidated logical operators to be passed in queries, adding server‑side validation or schema enforcement as an additional safeguard.

Generated by OpenCVE AI on April 16, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-72hp-qff8-4pvv Parse Server has a protected fields bypass via logical query operators
History

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.
Title Parse Server has a protected fields bypass via logical query operators
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:28:43.222Z

Reserved: 2026-03-07T17:34:39.981Z

Link: CVE-2026-30962

cve-icon Vulnrichment

Updated: 2026-03-11T14:28:36.296Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:48.663

Modified: 2026-03-11T16:59:34.270

Link: CVE-2026-30962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses