CVE-2026-32878
Prototype Pollution in Parse Server Allows Schema Manipulation
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | to 8.6.44 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
This vulnerability affects Parse Server versions prior to 9.6.0-alpha.20 and 8.6.44. An attacker can bypass the default request keyword denylist protection and class-level permission restrictions for adding fields by sending a specially crafted request. This request exploits prototype pollution in the deep copy mechanism, allowing the attacker to inject fields into class schemas that normally have field addition locked down.
The injection can cause permanent schema type conflicts that cannot be resolved even with the master key. The issue was fixed by replacing the vulnerable third-party deep copy library with a built-in deep clone mechanism that safely handles prototype properties and allows the denylist check to correctly detect and reject prohibited keywords.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass security controls that prevent unauthorized addition of fields to class schemas in Parse Server. By exploiting prototype pollution, the attacker can inject unauthorized fields, potentially causing permanent schema type conflicts.
Such unauthorized modifications can undermine data integrity and security, potentially leading to unexpected behavior in applications relying on the schema, and these conflicts cannot be resolved even with the master key.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Parse Server to version 9.6.0-alpha.20 or later, or 8.6.44 or later. These versions replace the vulnerable third-party deep copy library with a built-in deep clone mechanism that safely handles prototype properties and enforces the denylist protection correctly.
No known workarounds are available, so applying the update is the immediate and recommended step.