CVE-2026-30962
Received Received - Intake
Bypass of Protected Field Validation in Parse Server Allows Data Exposure

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30962
EUVD
EUVD-2026-10878
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Parse Server, an open source backend for Node.js. Before versions 9.5.2-alpha.6 and 8.6.19, the system only validated protected fields at the top-level query keys. However, if a query constraint on a protected field was wrapped inside a logical operator, the validation was bypassed entirely. This means any authenticated user could query and extract values from protected fields that should have been restricted.

Impact Analysis

The vulnerability allows authenticated users to access and extract data from protected fields that are supposed to be restricted. This can lead to unauthorized disclosure of sensitive information stored in those fields, potentially compromising data confidentiality and security in any Parse Server deployment using vulnerable versions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.6 or later, or 8.6.19 or later, where the issue with validation of protected fields has been fixed.

All Parse Server deployments have default protected fields and are vulnerable prior to these versions, so applying the update is the immediate recommended step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart