Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.
Published: 2026-03-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection leading to data compromise and potential command execution
Action: Apply Patch
AI Analysis

Impact

Parse Server contains a SQL injection flaw in the PostgreSQL storage adapter that occurs when an Increment operation references a nested object field through dot notation (e.g., stats.counter). The adapter directly interpolates the sub‑key name into SQL string literals without proper escaping, allowing an attacker to inject arbitrary SQL fragments. An attacker who can send write requests to the Parse Server REST API can exploit this flaw to read sensitive data, bypass Cloud‑Level Permissions (CLPs) and Access Control Lists (ACLs), or even execute database commands that could compromise the entire PostgreSQL instance.

Affected Systems

The vulnerability affects the parse-community:parse-server product. Versions earlier than 9.6.0‑alpha.5 and 8.6.31 contain the flaw. Only deployments that use the PostgreSQL storage adapter are impacted. The affected CPEs include parseplatform:parse-server with Node.js environments and the specific alpha releases of 9.6.0 listed in the data.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Attackers who can reach the Parse Server REST API and have permission to perform Increment operations on nested fields have the necessary conditions to exploit this vulnerability. Given the potential for unauthorized data access or database compromise, the risk is significant for any exposed instance.

Generated by OpenCVE AI on March 17, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Parse Server release (>=9.6.0-alpha.5 or 8.6.31) to eliminate the vulnerability

Generated by OpenCVE AI on March 17, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gqpp-xgvh-9h7h Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
History

Fri, 13 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.
Title Parse Server has a SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:09:53.852Z

Reserved: 2026-03-09T19:02:25.014Z

Link: CVE-2026-31871

cve-icon Vulnrichment

Updated: 2026-03-12T20:09:51.412Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:26.663

Modified: 2026-03-13T18:24:50.250

Link: CVE-2026-31871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:02Z

Weaknesses