CVE-2026-30966
Received Received - Intake
Unauthorized Access via Relation Table Exposure in Parse Server

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30966
EUVD
EUVD-2026-10882
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Parse Server versions prior to 9.5.2-alpha.7 and 8.6.20. The internal tables that store Relation field mappings, such as role memberships, can be accessed directly via the REST API or GraphQL API by any client using only the application key, without requiring the master key.

An attacker exploiting this vulnerability can create, read, update, or delete records in any internal relationship table. This allows the attacker to inject themselves into any Parse Role, thereby gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Additionally, writing to tables backing Relation fields used in pointerFields CLP bypasses access control.

Impact Analysis

Exploiting this vulnerability allows an attacker to gain unauthorized access to sensitive data and functionality within the Parse Server backend.

  • The attacker can inject themselves into any Parse Role, gaining all permissions associated with that role.
  • They can perform full read, write, and delete operations on classes protected by role-based Class-Level Permissions.
  • Access control mechanisms can be bypassed by modifying Relation field tables, potentially compromising data integrity and confidentiality.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Parse Server to version 9.5.2-alpha.7 or later, or 8.6.20 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart