CVE-2026-30962
Received Received - Intake

Bypass of Protected Field Validation in Parse Server Allows Data Exposure

Vulnerability report for CVE-2026-30962, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-07-06
AI Q&A
2026-03-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.19 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Parse Server, an open source backend for Node.js. Before versions 9.5.2-alpha.6 and 8.6.19, the system only validated protected fields at the top-level query keys. However, if a query constraint on a protected field was wrapped inside a logical operator, the validation was bypassed entirely. This means any authenticated user could query and extract values from protected fields that should have been restricted.

Impact Analysis

The vulnerability allows authenticated users to access and extract data from protected fields that are supposed to be restricted. This can lead to unauthorized disclosure of sensitive information stored in those fields, potentially compromising data confidentiality and security in any Parse Server deployment using vulnerable versions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.6 or later, or 8.6.19 or later, where the issue with validation of protected fields has been fixed.

All Parse Server deployments have default protected fields and are vulnerable prior to these versions, so applying the update is the immediate recommended step.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart