Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. In 9.6.0-alpha.20 and 8.6.44, the vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword. No known workarounds are available.
Published: 2026-03-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Schema Poisoning via Prototype Pollution
Action: Upgrade Server
AI Analysis

Impact

Parse Server is an open‑source backend that can run on any Node.js infrastructure. Prior to the 9.6.0‑alpha.20 and 8.6.44 releases, a malicious request can exploit prototype pollution in the deep‑copy mechanism. By bypassing the default request keyword deny‑list protection, an attacker can inject disallowed fields into class schemas that are locked against field addition. The injected fields create permanent schema type conflicts that cannot be resolved even when using the master key. The underlying weakness is prototype pollution (CWE‑1321) and the impact is a corruption of database schema definitions, potentially causing application failures and a loss of data integrity.

Affected Systems

Affected systems are deployments of the parse-community:parse-server component that run any version before 9.6.0‑alpha.20 or 8.6.44. The CPE listing indicates that all alpha releases up to alpha19 and the earlier 8.x releases are vulnerable. Versions 9.6.0‑alpha.20+, 8.6.44+, or later fixes are not affected.

Risk and Exploitability

The CVSS v3 score is 5.3, which represents moderate severity, while the EPSS score is less than 1 %, indicating a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. It is inferred from the description that the attack vector is remote via a crafted HTTP request to the Parse Server API, as the prototype pollution is introduced through request processing. No known workarounds exist; the only remediation is upgrading to a fixed version.

Generated by OpenCVE AI on March 19, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade parse-server to version 9.6.0‑alpha.20 or newer, or to 8.6.44 or newer to eliminate prototype pollution in the deep‑copy function.
  • If an upgrade is not immediately possible, place the affected Parse Server instance behind a reverse proxy that validates request payloads against the deny‑list and monitor for abnormal schema changes.
  • Plan and execute a phased upgrade path to move to a supported release as soon as feasible.

Generated by OpenCVE AI on March 19, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9ccr-fpp6-78qf Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
History

Thu, 19 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 18 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. In 9.6.0-alpha.20 and 8.6.44, the vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword. No known workarounds are available.
Title Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T16:13:32.669Z

Reserved: 2026-03-16T21:03:44.420Z

Link: CVE-2026-32878

cve-icon Vulnrichment

Updated: 2026-03-19T16:13:28.060Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T22:16:25.510

Modified: 2026-03-19T17:28:32.513

Link: CVE-2026-32878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:03Z

Weaknesses