CVE-2026-31871
SQL Injection in Parse Server PostgreSQL Adapter Enables Data Access
Publication date: 2026-03-11
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | to 8.6.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31871 is a critical SQL injection vulnerability in the PostgreSQL storage adapter of Parse Server. It occurs when processing Increment operations on nested object fields accessed via dot notation (e.g., stats.counter). The vulnerability arises because the sub-key name is directly inserted into SQL query strings without proper escaping, especially of single quotes.
An attacker who can send write requests to the Parse Server REST API can craft sub-key names containing single quotes to inject arbitrary SQL commands. This can lead to unauthorized execution of SQL commands, including reading or modifying database data, bypassing Class-Level Permissions (CLPs) and Access Control Lists (ACLs). Only deployments using PostgreSQL are affected.
The vulnerability is fixed in Parse Server versions 9.6.0-alpha.5 and 8.6.31 by properly escaping single quotes in sub-key names before SQL query interpolation.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of SQL commands on your PostgreSQL database used by Parse Server. An attacker can inject malicious SQL to read, modify, or delete data without proper authorization.
It allows bypassing of Class-Level Permissions (CLPs) and Access Control Lists (ACLs), meaning security controls intended to protect data can be circumvented.
Because the attack vector is network-based and requires no privileges or user interaction, it is easy to exploit remotely, potentially leading to data breaches, data loss, or service disruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-31871 vulnerability, you should upgrade your Parse Server to a fixed version.
- Upgrade to Parse Server version 9.6.0-alpha.5 or later if you are using the 9.x series.
- Upgrade to Parse Server version 8.6.31 or later if you are using the 8.x series.
These versions include patches that properly escape single quotes in sub-key names used in Increment operations, preventing SQL injection attacks.
No known workarounds exist, so upgrading is the recommended immediate action.