Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access via Protected Field By-Pass
Action: Apply Patch
AI Analysis

Impact

Parse Server, an open‑source backend for Node.js, enforces protectedFields through a class‑level permission (CLP). A flaw in versions prior to 9.6.0‑alpha.6 and 8.6.32 allows an attacker to use dot‑notation within query WHERE clauses and sort parameters to reference sub‑fields of a protected field, effectively bypassing the CLP. This results in a binary oracle that can enumerate the true values of fields that should remain hidden, thereby compromising data confidentiality. The vulnerability is classified as CWE‑284 – Improper Control of Access Permissions.

Affected Systems

All installations of parse-community:parse-server running on Node.js are affected when the deployed version is older than 9.6.0‑alpha.6 or 8.6.32. Both MongoDB and PostgreSQL database backends are susceptible, as the issue lies in the query processing layer rather than the database itself. The CPE entries confirm that any 9.6.0-alpha and 8.6.32 releases are impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, while the EPSS score of under 1 % suggests current exploitation likelihood is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires network access to the publicly exposed Parse Server API and does not necessitate authentication; an attacker can craft a query or sort string using dot‑notation to extract protected data. The lack of authentication requirements elevates risk for exposed deployments.

Generated by OpenCVE AI on March 17, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.6.0‑alpha.6 or newer, or to 8.6.32 or newer, as detailed in the vendor advisories.
  • Verify that all running instances are on a patched version and restart the services after the upgrade.
  • If upgrading immediately is not possible, monitor API request logs for unusual dot‑notation query or sort patterns that may indicate an attempted exploit.

Generated by OpenCVE AI on March 17, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r2m8-pxm9-9c4g Parse Server has a protected fields bypass via dot-notation in query and sort
History

Fri, 13 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.
Title Parse Server has a protected fields bypass via dot-notation in query and sort
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:09:15.616Z

Reserved: 2026-03-09T19:02:25.014Z

Link: CVE-2026-31872

cve-icon Vulnrichment

Updated: 2026-03-12T20:09:12.393Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:26.830

Modified: 2026-03-13T18:24:36.583

Link: CVE-2026-31872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:00Z

Weaknesses