Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.
Published: 2026-03-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Parse Server’s PostgreSQL storage adapter is vulnerable to a SQL injection flaw when processing Increment operations on nested object fields (e.g., stats.counter). The "amount" value supplied by a client is interpolated directly into the generated SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL sub‑queries, enabling them to read any data stored in the underlying PostgreSQL database and bypass class‑level permissions (CLPs) and access control lists (ACLs). This constitutes a serious confidentiality breach and is classified as CWE‑89.

Affected Systems

The affected product is Parse Server from parse-community. Versions prior to 8.6.29 and before the release of 9.6.0‑alpha.3 are impacted. MongoDB deployments are not affected. The vulnerability is present in the PostgreSQL adapter for any supported Node.js environment and is identified by the provided CPEs.

Risk and Exploitability

The vulnerability achieves a high CVSS score of 9.3, but its EPSS score is currently under 1 %, indicating a low likelihood of exploitation at this time. It is not listed in the CISA KEV catalog, so no widespread exploitation has been reported. The attack vector is remote; an attacker needs the ability to issue write (increment) requests to the Parse Server REST API, which may be authenticated or unauthenticated, to inject arbitrary SQL statements.

Generated by OpenCVE AI on March 17, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to 8.6.29 or 9.6.0‑alpha.3 (or any newer release) to apply the SQL injection fix.
  • Verify that the deployment uses the PostgreSQL adapter; MongoDB deployments are not affected and require no action.
  • Restrict write access to the Parse Server REST API so that only authenticated and authorized users can perform Increment operations.
  • Monitor API logs for unexpected Increment activity and review access patterns for potential data exfiltration.

Generated by OpenCVE AI on March 17, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q3vj-96h2-gwvg Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
History

Fri, 13 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.
Title Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:11:40.043Z

Reserved: 2026-03-09T19:02:25.011Z

Link: CVE-2026-31856

cve-icon Vulnrichment

Updated: 2026-03-12T20:11:23.150Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:24.170

Modified: 2026-03-13T18:54:26.190

Link: CVE-2026-31856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:20Z

Weaknesses