CVE-2026-30229
Privilege Escalation via readOnlyMasterKey in Parse Server
Publication date: 2026-03-06
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | to 8.6.6 (exc) |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30229 is a security vulnerability in the Parse Server project that affects versions prior to 8.6.6 and between 9.0.0 and 9.5.0-alpha.4. The issue lies in the `/loginAs` endpoint, which improperly allows the use of the `readOnlyMasterKey` to obtain a valid session token for any user.
This means that a credential intended only for read-only access can be exploited to impersonate arbitrary users, granting full read and write access to their data. Essentially, an attacker with the `readOnlyMasterKey` can escalate privileges beyond what was intended.
How can this vulnerability impact me? :
If you use Parse Server with the `readOnlyMasterKey`, this vulnerability allows an attacker who has that key to impersonate any user and gain full read and write access to their data.
- Unauthorized full access to user accounts
- Ability to read sensitive data beyond intended permissions
- Ability to modify or delete user data, compromising data integrity
- Potential for privilege escalation from read-only to full access
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves misuse of the `/loginAs` endpoint with the `readOnlyMasterKey` to obtain session tokens for arbitrary users. Detection would involve monitoring for POST requests to the `/loginAs` endpoint that use the `readOnlyMasterKey`.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by inspecting your server logs or network traffic for POST requests to `/loginAs` that include the `readOnlyMasterKey`.'}, {'type': 'list_item', 'content': 'Check server access logs for POST requests to `/loginAs` endpoint.'}, {'type': 'list_item', 'content': 'Search logs for usage of the `readOnlyMasterKey` in authorization headers or request bodies.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to `/loginAs`.'}, {'type': 'list_item', 'content': "Example command to search logs: `grep -i 'POST /loginAs' /path/to/parse-server/logs`"}, {'type': 'list_item', 'content': "Example command to find usage of `readOnlyMasterKey`: `grep -i 'readOnlyMasterKey' /path/to/parse-server/logs`"}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Parse Server to a patched version where the vulnerability is fixed.
- Upgrade Parse Server to version 8.6.6 or later, or to 9.5.0-alpha.4 or later.
- If upgrading immediately is not possible, discontinue the use of the `readOnlyMasterKey` until the patch can be applied.
There is no workaround other than applying the patch or stopping use of the vulnerable key.