CVE-2026-32234
SQL Injection in Parse Server PostgreSQL via Master Key Abuse
Publication date: 2026-03-11
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | to 8.6.36 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows an attacker with master key access to inject malicious SQL commands directly into the PostgreSQL database used by Parse Server.
The impact includes potential unauthorized manipulation of the database, which could affect data integrity and availability.
However, the overall impact on confidentiality, integrity, and availability is considered low according to the CVSS v4 base score of 5.1.
The attack complexity is low and the attack vector is network-based, but the attacker must already have high privileges (master key).
Can you explain this vulnerability to me?
CVE-2026-32234 is a moderate severity SQL injection vulnerability affecting Parse Server versions prior to 9.6.0-alpha.10 and 8.6.36 when configured to use PostgreSQL as the database.
An attacker with access to the master key can inject malicious SQL through crafted field names used in query constraints, specifically via the $regex query operator. This happens because the field name is passed to PostgreSQL using unparameterized string interpolation without proper escaping.
This vulnerability bypasses the Parse Server abstraction layer and operates directly at the database level, allowing the attacker to manipulate SQL queries.
The vulnerability only affects Parse Server deployments using PostgreSQL and requires the attacker to have high privileges (master key access).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from the use of crafted field names in $regex query operators that are passed to PostgreSQL without proper escaping, allowing SQL injection if an attacker has master key access.
Detection would involve monitoring for unusual or suspicious query patterns involving $regex operators with crafted field names in Parse Server logs or database query logs.
Since the vulnerability requires master key access and exploits unparameterized SQL queries, commands to detect it might include reviewing database query logs for suspicious interpolated SQL or checking Parse Server query logs for unusual $regex field names.
However, no specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Parse Server to a fixed version that addresses this vulnerability.
- Upgrade to Parse Server version 9.6.0-alpha.10 or later if using the 9.x.x branch.
- Alternatively, upgrade to version 8.6.36 or later if using the 8.x.x branch.
These versions include patches that properly escape SQL identifiers in query field names and enhance validation to reject malicious field names.
No known workarounds exist, so applying the update is critical.