CVE-2026-31872
Received Received - Intake
ProtectedFields Bypass via Dot-Notation in Parse Server Queries

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31872
EUVD
EUVD-2026-11279
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server to 8.6.32 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31872 is a vulnerability in Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 that allows attackers to bypass the protectedFields class-level permission (CLP).

The issue arises because the server did not properly check the root field name when dot-notation was used in query WHERE clauses and sort parameters. This means an attacker can use dot-notation to query or sort by sub-fields of a protected field, effectively circumventing access controls.

This enables a binary oracle attack to enumerate protected field values, exposing sensitive data that should be restricted.

The vulnerability affects both MongoDB and PostgreSQL deployments of Parse Server and is classified as an improper access control issue (CWE-284).

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive or protected data fields within your Parse Server backend.

An attacker can exploit the flaw remotely without any privileges or user interaction by crafting queries or sort parameters using dot-notation to access sub-fields of protected fields.

This unauthorized access can result in data leakage, exposing confidential information that was intended to be protected by class-level permissions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the vulnerability CVE-2026-31872 in Parse Server, you should upgrade your Parse Server deployment to version 9.6.0-alpha.6 or later if you are using the 9.x series, or to version 8.6.32 or later if you are using the 8.x series.

These updates include patches that properly handle dot-notation in query WHERE clauses and sort parameters, preventing bypass of protectedFields class-level permissions.

No workarounds are available, so applying the official security patches is the immediate and recommended action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart