CVE-2026-30966
Received Received - Intake
Unauthorized Access via Relation Table Exposure in Parse Server

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30966
EUVD
EUVD-2026-10882
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Parse Server versions prior to 9.5.2-alpha.7 and 8.6.20. The internal tables that store Relation field mappings, such as role memberships, can be accessed directly via the REST API or GraphQL API by any client using only the application key, without requiring the master key.

An attacker exploiting this vulnerability can create, read, update, or delete records in any internal relationship table. This allows the attacker to inject themselves into any Parse Role, thereby gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Additionally, writing to tables backing Relation fields used in pointerFields CLP bypasses access control.


How can this vulnerability impact me? :

Exploiting this vulnerability allows an attacker to gain unauthorized access to sensitive data and functionality within the Parse Server backend.

  • The attacker can inject themselves into any Parse Role, gaining all permissions associated with that role.
  • They can perform full read, write, and delete operations on classes protected by role-based Class-Level Permissions.
  • Access control mechanisms can be bypassed by modifying Relation field tables, potentially compromising data integrity and confidentiality.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Parse Server to version 9.5.2-alpha.7 or later, or 8.6.20 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart