CVE-2026-30229
Received Received - Intake
Privilege Escalation via readOnlyMasterKey in Parse Server

Publication date: 2026-03-06

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30229
EUVD
EUVD-2026-10060
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server to 8.6.6 (exc)
parseplatform parse-server From 9.0.0 (inc) to 9.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30229 is a security vulnerability in the Parse Server project that affects versions prior to 8.6.6 and between 9.0.0 and 9.5.0-alpha.4. The issue lies in the `/loginAs` endpoint, which improperly allows the use of the `readOnlyMasterKey` to obtain a valid session token for any user.

This means that a credential intended only for read-only access can be exploited to impersonate arbitrary users, granting full read and write access to their data. Essentially, an attacker with the `readOnlyMasterKey` can escalate privileges beyond what was intended.

Impact Analysis

If you use Parse Server with the `readOnlyMasterKey`, this vulnerability allows an attacker who has that key to impersonate any user and gain full read and write access to their data.

  • Unauthorized full access to user accounts
  • Ability to read sensitive data beyond intended permissions
  • Ability to modify or delete user data, compromising data integrity
  • Potential for privilege escalation from read-only to full access
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves misuse of the `/loginAs` endpoint with the `readOnlyMasterKey` to obtain session tokens for arbitrary users. Detection would involve monitoring for POST requests to the `/loginAs` endpoint that use the `readOnlyMasterKey`.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by inspecting your server logs or network traffic for POST requests to `/loginAs` that include the `readOnlyMasterKey`.'}, {'type': 'list_item', 'content': 'Check server access logs for POST requests to `/loginAs` endpoint.'}, {'type': 'list_item', 'content': 'Search logs for usage of the `readOnlyMasterKey` in authorization headers or request bodies.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to `/loginAs`.'}, {'type': 'list_item', 'content': "Example command to search logs: `grep -i 'POST /loginAs' /path/to/parse-server/logs`"}, {'type': 'list_item', 'content': "Example command to find usage of `readOnlyMasterKey`: `grep -i 'readOnlyMasterKey' /path/to/parse-server/logs`"}] [1, 2, 3]

Mitigation Strategies

The primary mitigation is to upgrade Parse Server to a patched version where the vulnerability is fixed.

  • Upgrade Parse Server to version 8.6.6 or later, or to 9.5.0-alpha.4 or later.
  • If upgrading immediately is not possible, discontinue the use of the `readOnlyMasterKey` until the patch can be applied.

There is no workaround other than applying the patch or stopping use of the vulnerable key.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart