Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.5

Parse Server allows read-only credentials to access user data

CVE-2026-30229 GHSA-79wj-8rqv-jvp5 GHSA-79wj-8rqv-jvp5
Summary

A security issue in older versions of Parse Server (before 8.6.6 and 9.5.0-alpha.4) allows a read-only key to access sensitive user data. This is a serious issue that can lead to unauthorized access to user information. Update to a patched version to fix this issue.

What to do
  • Update parseadmin parse-server to version 8.6.6.
  • Update parseadmin parse-server to version 9.5.0-alpha.4.
Affected software
VendorProductAffected versionsFix available
parseadmin parse-server <= 8.6.6 8.6.6
parseadmin parse-server > 9.0.0 , <= 9.5.0-alpha.4 9.5.0-alpha.4
parseplatform parse-server <= 8.6.6
parseplatform parse-server > 9.0.0 , <= 9.4.1
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
Original title
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to ob...
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4.
nvd CVSS4.0 8.5
Vulnerability type
CWE-863 Incorrect Authorization
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026