CVE-2026-32234

Received Received - Intake

SQL Injection in Parse Server PostgreSQL via Master Key Abuse

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. This vulnerability is fixed in 9.6.0-alpha.10 and 8.6.36.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-11

Last Modified

2026-03-13

Generated

2026-06-16

AI Q&A

2026-03-11

EPSS Evaluated

2026-06-15

NVD

CVE-2026-32234

EUVD

EUVD-2026-11342

Affected Vendors & Products

Vendor	Product	Version / Range
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform	parse-server	to 8.6.36 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-32234 is a moderate severity SQL injection vulnerability affecting Parse Server versions prior to 9.6.0-alpha.10 and 8.6.36 when configured to use PostgreSQL as the database.

An attacker with access to the master key can inject malicious SQL through crafted field names used in query constraints, specifically via the $regex query operator. This happens because the field name is passed to PostgreSQL using unparameterized string interpolation without proper escaping.

This vulnerability bypasses the Parse Server abstraction layer and operates directly at the database level, allowing the attacker to manipulate SQL queries.

The vulnerability only affects Parse Server deployments using PostgreSQL and requires the attacker to have high privileges (master key access).

Impact Analysis

This vulnerability allows an attacker with master key access to inject malicious SQL commands directly into the PostgreSQL database used by Parse Server.

The impact includes potential unauthorized manipulation of the database, which could affect data integrity and availability.

However, the overall impact on confidentiality, integrity, and availability is considered low according to the CVSS v4 base score of 5.1.

The attack complexity is low and the attack vector is network-based, but the attacker must already have high privileges (master key).

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from the use of crafted field names in $regex query operators that are passed to PostgreSQL without proper escaping, allowing SQL injection if an attacker has master key access.

Detection would involve monitoring for unusual or suspicious query patterns involving $regex operators with crafted field names in Parse Server logs or database query logs.

Since the vulnerability requires master key access and exploits unparameterized SQL queries, commands to detect it might include reviewing database query logs for suspicious interpolated SQL or checking Parse Server query logs for unusual $regex field names.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Parse Server to a fixed version that addresses this vulnerability.

Upgrade to Parse Server version 9.6.0-alpha.10 or later if using the 9.x.x branch.
Alternatively, upgrade to version 8.6.36 or later if using the 8.x.x branch.

These versions include patches that properly escape SQL identifiers in query field names and enhance validation to reject malicious field names.

No known workarounds exist, so applying the update is critical.

Hi! I’m here to help you understand CVE-2026-32234. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-32234

SQL Injection in Parse Server PostgreSQL via Master Key Abuse

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart