CVE-2026-31856
Received Received - Intake
SQL Injection in Parse Server PostgreSQL Adapter Enables Data Exposure

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31856
EUVD
EUVD-2026-11255
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server to 8.6.29 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31856 is a critical SQL injection vulnerability in the Parse Server PostgreSQL storage adapter. It occurs when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The vulnerability arises because the amount value is directly interpolated into SQL queries without parameterization or type validation.

An attacker who can send write requests to the Parse Server REST API can exploit this flaw to inject arbitrary SQL subqueries. This allows them to read any data from the database and bypass Class-Level Permissions (CLPs) and Access Control Lists (ACLs). MongoDB deployments are not affected by this vulnerability.

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure and modification of data stored in the PostgreSQL database used by Parse Server.

  • Attackers can execute arbitrary SQL commands remotely without any privileges or user interaction.
  • They can bypass security controls such as Class-Level Permissions (CLPs) and Access Control Lists (ACLs).
  • Sensitive data can be read or altered, compromising confidentiality and integrity.

There is no impact on availability, but the high confidentiality and integrity impacts make this a critical security risk.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': "To mitigate the SQL injection vulnerability in Parse Server's PostgreSQL storage adapter, you should upgrade your Parse Server deployment to a fixed version."}, {'type': 'list_item', 'content': 'Upgrade to version 8.6.29 or later if you are using the 8.x branch.'}, {'type': 'list_item', 'content': 'Upgrade to version 9.6.0-alpha.3 or later if you are using the 9.x branch.'}, {'type': 'paragraph', 'content': 'These versions include fixes that add strict type validation to reject non-numeric increment amounts and use parameterized SQL queries to prevent SQL injection attacks.'}, {'type': 'paragraph', 'content': 'Note that no known workarounds exist, so upgrading is the recommended immediate action.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart