CVE-2026-30229
Received Received - Intake

Privilege Escalation via readOnlyMasterKey in Parse Server

Vulnerability report for CVE-2026-30229, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-06

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-06
Last Modified
2026-03-11
Generated
2026-07-06
AI Q&A
2026-03-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server to 8.6.6 (exc)
parseplatform parse-server From 9.0.0 (inc) to 9.4.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-30229 is a security vulnerability in the Parse Server project that affects versions prior to 8.6.6 and between 9.0.0 and 9.5.0-alpha.4. The issue lies in the `/loginAs` endpoint, which improperly allows the use of the `readOnlyMasterKey` to obtain a valid session token for any user.

This means that a credential intended only for read-only access can be exploited to impersonate arbitrary users, granting full read and write access to their data. Essentially, an attacker with the `readOnlyMasterKey` can escalate privileges beyond what was intended.

Impact Analysis

If you use Parse Server with the `readOnlyMasterKey`, this vulnerability allows an attacker who has that key to impersonate any user and gain full read and write access to their data.

  • Unauthorized full access to user accounts
  • Ability to read sensitive data beyond intended permissions
  • Ability to modify or delete user data, compromising data integrity
  • Potential for privilege escalation from read-only to full access
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves misuse of the `/loginAs` endpoint with the `readOnlyMasterKey` to obtain session tokens for arbitrary users. Detection would involve monitoring for POST requests to the `/loginAs` endpoint that use the `readOnlyMasterKey`.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by inspecting your server logs or network traffic for POST requests to `/loginAs` that include the `readOnlyMasterKey`.'}, {'type': 'list_item', 'content': 'Check server access logs for POST requests to `/loginAs` endpoint.'}, {'type': 'list_item', 'content': 'Search logs for usage of the `readOnlyMasterKey` in authorization headers or request bodies.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to `/loginAs`.'}, {'type': 'list_item', 'content': "Example command to search logs: `grep -i 'POST /loginAs' /path/to/parse-server/logs`"}, {'type': 'list_item', 'content': "Example command to find usage of `readOnlyMasterKey`: `grep -i 'readOnlyMasterKey' /path/to/parse-server/logs`"}] [1, 2, 3]

Mitigation Strategies

The primary mitigation is to upgrade Parse Server to a patched version where the vulnerability is fixed.

  • Upgrade Parse Server to version 8.6.6 or later, or to 9.5.0-alpha.4 or later.
  • If upgrading immediately is not possible, discontinue the use of the `readOnlyMasterKey` until the patch can be applied.

There is no workaround other than applying the patch or stopping use of the vulnerable key.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart