CVE-2026-31840
SQL Injection in Parse Server PostgreSQL Queries via Dot-Notation
Publication date: 2026-03-11
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | to 8.6.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31840 is a critical SQL injection vulnerability in Parse Server versions prior to 9.6.0-alpha.2 and 8.6.28 that affects deployments using PostgreSQL databases.
The vulnerability arises from improper escaping of dot-notation sub-field values in queries, especially when using the sort query parameter, but also potentially affecting distinct and where parameters.
An attacker can exploit this by injecting malicious SQL code through specially crafted dot-notation field names, which can manipulate SQL queries executed on the PostgreSQL database.
This improper handling allows unauthorized access or modification of database contents.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data, unauthorized modification or deletion of database contents, and potential disruption of service.
Because the vulnerability allows remote attackers to inject SQL commands without any privileges or user interaction, it poses a high risk to the confidentiality, integrity, and availability of the affected system.
Exploitation could lead to data breaches, data corruption, or complete compromise of the backend database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-31840, immediately upgrade your Parse Server deployment to version 9.6.0-alpha.2 or later if you are using the 9.x branch, or to version 8.6.28 or later if you are using the 8.x branch.
This vulnerability affects only deployments using PostgreSQL databases, so ensure that your backend uses PostgreSQL and apply the update accordingly.
The fix involves proper escaping of dot-notation sub-field values in queries to prevent SQL injection attacks.
No known workarounds exist, so upgrading to the patched versions is the recommended immediate action.