CVE-2026-29182
Received Received - Intake

Privilege Escalation via readOnlyMasterKey in Parse Server

Vulnerability report for CVE-2026-29182, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-07-06
AI Q&A
2026-03-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
parseplatform parse-server to 8.6.4 (exc)
parseplatform parse-server 9.4.1
parseplatform parse-server 9.4.1
parseplatform parse-server From 9.0.0 (inc) to 9.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, the primary and recommended step is to upgrade Parse Server to version 8.6.4 or 9.4.1-alpha.3 or later, where the issue has been fixed.

If an immediate upgrade is not possible, restrict access to the readOnlyMasterKey and avoid sharing it with untrusted parties to reduce the risk of exploitation.

Executive Summary

CVE-2026-29182 is a vulnerability in Parse Server versions prior to 8.6.4 and 9.4.1-alpha.3 where the readOnlyMasterKey, which is supposed to allow only master-level read access and deny all write operations, is improperly enforced.

Due to this flaw, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations, allowing an attacker who knows this key to create, modify, and delete Cloud Hooks and start Cloud Jobs.

This can be exploited to perform unauthorized write actions, potentially leading to data exfiltration.

The issue was fixed in versions 8.6.4 and 9.4.1-alpha.3 by adding proper authorization checks.

Impact Analysis

If you use Parse Server with the readOnlyMasterKey option, this vulnerability allows an attacker who knows the readOnlyMasterKey to perform unauthorized write operations.

  • Create, modify, and delete Cloud Hooks.
  • Start Cloud Jobs.

These actions can be used for data exfiltration and compromise the confidentiality, integrity, and availability of your system.

The vulnerability has a high severity rating with a CVSS v4 base score of 8.6 and can be exploited remotely without user interaction, but requires possession of the readOnlyMasterKey.

Compliance Impact

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29182. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart