CVE-2026-30848
Received Received - Intake
Path Traversal in Parse Server PagesRouter Allows Unauthorized File Access

Publication date: 2026-03-07

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30848
EUVD
EUVD-2026-10169
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
parseplatform parse-server From 9.0.0 (inc) to 9.5.0 (exc)
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server to 8.6.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the PagesRouter component in the Parse Server backend, specifically versions before 8.6.8 and between 9.0.0 and 9.5.0-alpha.8. It is a path traversal flaw that allows unauthenticated attackers to read files outside the intended static file directory (pagesPath).

The issue arises because the boundary check used to restrict file access relies on a string prefix comparison without enforcing a directory separator boundary. This means an attacker can use path traversal sequences to access sibling directories whose names start with the same prefix as the pagesPath directory (for example, if pagesPath is /srv/pages, an attacker could access /srv/pages-secret).

Exploitation requires that the pages feature is enabled and that such sibling directories exist. The vulnerability allows reading unauthorized files remotely without any privileges or user interaction.

Impact Analysis

This vulnerability can impact you by allowing an attacker to read files outside the intended static file directory on your Parse Server deployment. This could lead to unauthorized disclosure of sensitive information stored in sibling directories that share a prefix with the pagesPath directory.

The confidentiality impact is considered low, as the attacker can only read files but cannot modify or delete them. There is no impact on integrity or availability.

The attack is low complexity, requires no privileges or user interaction, and can be performed remotely over the network.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing the PagesRouter static file serving route for path traversal attempts that access files outside the configured pagesPath directory.

You can attempt to access files in sibling directories whose names share the same prefix as the pagesPath directory by sending HTTP requests with path traversal sequences (e.g., ../) to the PagesRouter endpoint.

For example, using curl to test if files outside the pagesPath directory are accessible:

  • curl -v http://<parse-server-host>/pages/../pages-secret/somefile
  • curl -v http://<parse-server-host>/pages/..%2Fpages-secret%2Fsomefile

If these requests return contents of files outside the intended directory, the system is vulnerable.

Additionally, verify if the Parse Server version is prior to 8.6.8 or between 9.0.0 and 9.5.0-alpha.8, and if the pages feature is enabled (pages.enableRouter: true), as these are conditions for exploitation.

Mitigation Strategies

The primary mitigation is to upgrade Parse Server to a patched version: 8.6.8 or later, or 9.5.0-alpha.8 or later.

If upgrading immediately is not possible, you can apply workarounds such as ensuring that no sibling directories exist with names sharing the same prefix as the pagesPath directory (e.g., avoid directories like /srv/pages-backup alongside /srv/pages).

Also, consider disabling the pages feature by setting pages.enableRouter to false if it is not required.

These steps help prevent exploitation by removing the conditions necessary for the path traversal attack.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart