CVE-2026-31872
Received Received - Intake
ProtectedFields Bypass via Dot-Notation in Parse Server Queries

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31872
EUVD
EUVD-2026-11279
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server to 8.6.32 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-31872 is a vulnerability in Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 that allows attackers to bypass the protectedFields class-level permission (CLP).

The issue arises because the server did not properly check the root field name when dot-notation was used in query WHERE clauses and sort parameters. This means an attacker can use dot-notation to query or sort by sub-fields of a protected field, effectively circumventing access controls.

This enables a binary oracle attack to enumerate protected field values, exposing sensitive data that should be restricted.

The vulnerability affects both MongoDB and PostgreSQL deployments of Parse Server and is classified as an improper access control issue (CWE-284).


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized access to sensitive or protected data fields within your Parse Server backend.

An attacker can exploit the flaw remotely without any privileges or user interaction by crafting queries or sort parameters using dot-notation to access sub-fields of protected fields.

This unauthorized access can result in data leakage, exposing confidential information that was intended to be protected by class-level permissions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability CVE-2026-31872 in Parse Server, you should upgrade your Parse Server deployment to version 9.6.0-alpha.6 or later if you are using the 9.x series, or to version 8.6.32 or later if you are using the 8.x series.

These updates include patches that properly handle dot-notation in query WHERE clauses and sort parameters, preventing bypass of protectedFields class-level permissions.

No workarounds are available, so applying the official security patches is the immediate and recommended action.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart