A flaw in Parse Server allows an attacker with master key credentials to inject special SQL characters into field names used for the aggregate $group pipeline stage or the distinct operation. Because Parse Server directly incorporates these names into PostgreSQL query strings, the attacker can run arbitrary SQL statements. This vulnerability is an instance of Unrestricted Command Injection (CWE-89) and can lead to data theft, modification, or deletion at the database level, effectively elevating from a Parse Server application‑level administrator to full PostgreSQL access.

Parse Server deployments that use the PostgreSQL adapter are affected, specifically versions earlier than 8.6.59 and 9.6.0‑alpha.53. Deployments that use MongoDB are not impacted. The affected software is the open‑source Parse Server released by parse-community.

The CVSS score of 8.6 indicates high severity. EPSS calculation shows a probability of exploitation of less than 1 %, suggesting that widespread exploitation is currently low, but the attacker must possess a master key, a privileged credential that is often targeted. The vulnerability is not listed in CISA’s KEV catalog, so no publicly known exploits are documented. In practice, an attacker who has compromised a Parse Server instance or obtained the master key can execute arbitrary SQL, leading to uncontrolled database access. The likely attack vector is via a compromised or misconfigured Parse Server instance; direct external input paths are not the primary route.