CVE-2026-31840
Received Received - Intake
SQL Injection in Parse Server PostgreSQL Queries via Dot-Notation

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31840
EUVD
EUVD-2026-11241
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server to 8.6.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31840 is a critical SQL injection vulnerability in Parse Server versions prior to 9.6.0-alpha.2 and 8.6.28 that affects deployments using PostgreSQL databases.

The vulnerability arises from improper escaping of dot-notation sub-field values in queries, especially when using the sort query parameter, but also potentially affecting distinct and where parameters.

An attacker can exploit this by injecting malicious SQL code through specially crafted dot-notation field names, which can manipulate SQL queries executed on the PostgreSQL database.

This improper handling allows unauthorized access or modification of database contents.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data, unauthorized modification or deletion of database contents, and potential disruption of service.

Because the vulnerability allows remote attackers to inject SQL commands without any privileges or user interaction, it poses a high risk to the confidentiality, integrity, and availability of the affected system.

Exploitation could lead to data breaches, data corruption, or complete compromise of the backend database.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate CVE-2026-31840, immediately upgrade your Parse Server deployment to version 9.6.0-alpha.2 or later if you are using the 9.x branch, or to version 8.6.28 or later if you are using the 8.x branch.

This vulnerability affects only deployments using PostgreSQL databases, so ensure that your backend uses PostgreSQL and apply the update accordingly.

The fix involves proper escaping of dot-notation sub-field values in queries to prevent SQL injection attacks.

No known workarounds exist, so upgrading to the patched versions is the recommended immediate action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart