Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Parse Server on PostgreSQL vulnerable to SQL Injection via malicious keys
GHSA-gqpp-xgvh-9h7h
CVE-2026-31871
Summary
If an attacker can send requests to a Parse Server using PostgreSQL, they might be able to execute unauthorized database commands or access sensitive data. This is because the server doesn't properly handle certain types of keys in certain database operations. To fix this, update to the latest version of Parse Server, specifically 9.6.0-alpha.5 or 8.6.31.
What to do
- Update parse-server to version 9.6.0-alpha.5.
- Update parse-server to version 8.6.31.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0-alpha.1 , <= 9.6.0-alpha.5 | 9.6.0-alpha.5 |
| – | parse-server | <= 8.6.31 | 8.6.31 |
Original title
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Original description
### Impact
A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs.
Only Postgres deployments are affected.
### Patches
The fix escapes single quotes in the sub-key name before interpolating it into the SQL query, preventing breakout from SQL string literals.
### Workarounds
There is no known workaround.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.31
A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs.
Only Postgres deployments are affected.
### Patches
The fix escapes single quotes in the sub-key name before interpolating it into the SQL query, preventing breakout from SQL string literals.
### Workarounds
There is no known workaround.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.31
ghsa CVSS4.0
9.3
Vulnerability type
CWE-89
SQL Injection
- https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xg...
- https://github.com/parse-community/parse-server/releases/tag/8.6.31
- https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5
- https://github.com/advisories/GHSA-gqpp-xgvh-9h7h
- https://nvd.nist.gov/vuln/detail/CVE-2026-31871
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026