Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.
Published: 2026-03-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Parse Server applies dot‑notation field names in query parameters such as sort, distinct, and where. The server fails to properly escape the sub‑field values when processing these dot‑notation queries against a PostgreSQL backend, allowing an attacker to inject arbitrary SQL. This flaw (CWE‑89) enables attackers to read, modify, or delete data stored in the database and is therefore a critical vulnerability that compromises confidentiality, integrity, and potentially availability of the application data.

Affected Systems

The vulnerability is limited to Parse Server deployments that use PostgreSQL and run any release prior to 9.6.0‑alpha.2 or 8.6.28. Both the 8.x and 9.x major series are affected. Deployments that have upgraded to the patched releases are not impacted. The affected products are provided by parse-community:parse-server and are listed in the CPE data as parse-server:* and parse-server:9.6.0:alpha1.

Risk and Exploitability

The CVSS score of 9.3 categorises this as a critical issue. The EPSS score is less than 1 %, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating a low baseline exploitation probability in the wild. However, exploitation requires only the ability to send a crafted HTTP request to the Parse Server API, and authentication is not explicitly required by the description. Thus the attack vector is remote over the web API, and the potential impact is high due to the ability to execute arbitrary SQL statements against the database.

Generated by OpenCVE AI on March 17, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.6.0‑alpha.2 or later, or to 8.6.28 or later, which includes the necessary escaping fixes.
  • Verify your current Parse Server version and ensure it is at or above the patched releases.
  • Monitor the vendor’s releases page or the security advisory link for additional patches or updates.
  • If upgrading is not immediately possible, temporarily restrict external write access to the Parse Server API until a patch can be applied.

Generated by OpenCVE AI on March 17, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qpr4-jrj4-6f27 Parse Server: SQL injection via dot-notation field name in PostgreSQL
History

Fri, 13 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.
Title Parse Server has a SQL injection via dot-notation field name in PostgreSQL
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:38:08.164Z

Reserved: 2026-03-09T17:41:56.078Z

Link: CVE-2026-31840

cve-icon Vulnrichment

Updated: 2026-03-11T17:37:49.571Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:58.447

Modified: 2026-03-13T18:54:46.243

Link: CVE-2026-31840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:24Z

Weaknesses