Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. This vulnerability is fixed in 9.6.0-alpha.10 and 8.6.36.
Published: 2026-03-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

Parse Server allows an attacker who holds the master key to inject arbitrary SQL via field names used in $regex query operators when the server is connected to PostgreSQL. The vulnerability stems from unparameterized string interpolation of these field names, enabling a crafted query to be executed at the database level and bypassing the standard Parse Server abstraction. Successful exploitation could read, modify or delete data stored in the PostgreSQL database, potentially causing confidentiality, integrity, and availability violations for the entire application that relies on Parse Server.

Affected Systems

The affected product is Parse Server (parse-community:parse-server). Any deployment using PostgreSQL as its database is vulnerable if it runs a version prior to 9.6.0-alpha.10 or 8.6.36. Versions up to 9.6.0-alpha.9 and 8.6.35 are included in this scope.

Risk and Exploitability

The CVSS score is 5.1 (Medium), and the EPSS score is less than 1%, indicating a low likelihood of public exploitation. This vulnerability is not listed in CISA’s KEV catalog. Exploitation requires access to the master key to construct the offending query, making it an internal threat for deployments that expose the master key or allow privileged users to send custom queries.

Generated by OpenCVE AI on March 17, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.6.0-alpha.10 or later (or 8.6.36).
  • If an upgrade is not immediately possible, ensure that the master key is kept strictly confidential and not exposed to untrusted clients.
  • Consider implementing additional input validation or sanitization of field names used in $regex operators to prevent future injection attempts.

Generated by OpenCVE AI on March 17, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c442-97qw-j6c6 Parse Server has a SQL injection via query field name when using PostgreSQL
History

Fri, 13 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. This vulnerability is fixed in 9.6.0-alpha.10 and 8.6.36.
Title Parse Server has a SQL injection via query field name when using PostgreSQL
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:52:17.029Z

Reserved: 2026-03-11T14:47:05.683Z

Link: CVE-2026-32234

cve-icon Vulnrichment

Updated: 2026-03-12T19:52:13.697Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:18.563

Modified: 2026-03-13T16:59:07.090

Link: CVE-2026-32234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:25Z

Weaknesses