CVE-2026-31871

Received Received - Intake

SQL Injection in Parse Server PostgreSQL Adapter Enables Data Access

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-11

Last Modified

2026-03-13

Generated

2026-06-16

AI Q&A

2026-03-11

EPSS Evaluated

2026-06-15

NVD

CVE-2026-31871

EUVD

EUVD-2026-11277

Affected Vendors & Products

Vendor	Product	Version / Range
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform	parse-server	to 8.6.31 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-31871 is a critical SQL injection vulnerability in the PostgreSQL storage adapter of Parse Server. It occurs when processing Increment operations on nested object fields accessed via dot notation (e.g., stats.counter). The vulnerability arises because the sub-key name is directly inserted into SQL query strings without proper escaping, especially of single quotes.

An attacker who can send write requests to the Parse Server REST API can craft sub-key names containing single quotes to inject arbitrary SQL commands. This can lead to unauthorized execution of SQL commands, including reading or modifying database data, bypassing Class-Level Permissions (CLPs) and Access Control Lists (ACLs). Only deployments using PostgreSQL are affected.

The vulnerability is fixed in Parse Server versions 9.6.0-alpha.5 and 8.6.31 by properly escaping single quotes in sub-key names before SQL query interpolation.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of SQL commands on your PostgreSQL database used by Parse Server. An attacker can inject malicious SQL to read, modify, or delete data without proper authorization.

It allows bypassing of Class-Level Permissions (CLPs) and Access Control Lists (ACLs), meaning security controls intended to protect data can be circumvented.

Because the attack vector is network-based and requires no privileges or user interaction, it is easy to exploit remotely, potentially leading to data breaches, data loss, or service disruption.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-31871 vulnerability, you should upgrade your Parse Server to a fixed version.

Upgrade to Parse Server version 9.6.0-alpha.5 or later if you are using the 9.x series.
Upgrade to Parse Server version 8.6.31 or later if you are using the 8.x series.

These versions include patches that properly escape single quotes in sub-key names used in Increment operations, preventing SQL injection attacks.

No known workarounds exist, so upgrading is the recommended immediate action.

Hi! I’m here to help you understand CVE-2026-31871. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-31871

SQL Injection in Parse Server PostgreSQL Adapter Enables Data Access

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart