CVE-2026-30962
Received Received - Intake
Bypass of Protected Field Validation in Parse Server Allows Data Exposure

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30962
EUVD
EUVD-2026-10878
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Parse Server, an open source backend for Node.js. Before versions 9.5.2-alpha.6 and 8.6.19, the system only validated protected fields at the top-level query keys. However, if a query constraint on a protected field was wrapped inside a logical operator, the validation was bypassed entirely. This means any authenticated user could query and extract values from protected fields that should have been restricted.


How can this vulnerability impact me? :

The vulnerability allows authenticated users to access and extract data from protected fields that are supposed to be restricted. This can lead to unauthorized disclosure of sensitive information stored in those fields, potentially compromising data confidentiality and security in any Parse Server deployment using vulnerable versions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.6 or later, or 8.6.19 or later, where the issue with validation of protected fields has been fixed.

All Parse Server deployments have default protected fields and are vulnerable prior to these versions, so applying the update is the immediate recommended step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart