Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.
Published: 2026-03-10
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via internal table manipulation
Action: Immediate Patch
AI Analysis

Impact

Parse Server allows clients to perform CRUD operations on internal tables that store role membership relations when only the publicly distributed application key is presented. Through this access an attacker can inject themselves into any existing Parse Role and thereby acquire all permissions tied to that role. This includes full read, write, and delete rights to any class that is protected by role‑based Class‑Level Permissions (CLP). Additionally, writing to tables that back Relation fields that are referenced in a __pointerFields__ CLP can bypass that access control entirely. The vulnerability is therefore a direct privilege escalation and CLP bypass that does not require a master key.

Affected Systems

The issue affects Parse Server versions released before 9.5.2‑alpha.7 and 8.6.20, which are available from parse‑community. These are open‑source backend deployments built on Node.js that can run on any infrastructure. All customers running these versions are vulnerable.

Risk and Exploitability

The CVSS score of 10 signifies a critical security flaw. However, the EPSS score is <1%, indicating that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Despite the low projected exploitation probability, the attack vector—accessing internal tables over the public REST or GraphQL API with an application key—is simple and requires no special privileges. An attacker with knowledge of the application key can readily perform the necessary operations, making the risk high for those environments where the application key is exposed or used by untrusted clients. The risk remains elevated until a patch is applied or a proper mitigative configuration is implemented.

Generated by OpenCVE AI on April 16, 2026 at 09:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.5.2‑alpha.7 or newer, or 8.6.20 or newer, which removes external exposure of internal tables.
  • Limit the use of the application key to trusted processes or services that run inside a secure network segment, ensuring it is not distributed to untrusted clients.
  • Enable and review application logs or use an external monitoring solution to detect and alert on unauthorized CRUD operations on internal tables.

Generated by OpenCVE AI on April 16, 2026 at 09:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5f92-jrq3-28rc Parse Server has role escalation and CLP bypass via direct `_Join` table write
History

Wed, 11 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.
Title Parse Server role escalation and CLP bypass via direct `_Join` table write
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:31:23.412Z

Reserved: 2026-03-07T17:53:48.815Z

Link: CVE-2026-30966

cve-icon Vulnrichment

Updated: 2026-03-11T14:31:17.045Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:48.980

Modified: 2026-03-11T19:50:29.950

Link: CVE-2026-30966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses