Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.8

Parse Server allows unauthorized access to sensitive data

CVE-2026-30962 GHSA-72hp-qff8-4pvv GHSA-72hp-qff8-4pvv
Summary

Parse Server's default protected fields can be bypassed by using logical operators in queries, allowing any authenticated user to access sensitive data. This affects all Parse Server deployments. To protect your data, update to the latest version of Parse Server or implement a custom solution to manually inspect and reject queries that try to access protected fields.

What to do
  • Update parse-server to version 9.5.2-alpha.6.
  • Update parse-server to version 8.6.19.
  • Update parse to version 9.5.2.
Affected software
VendorProductAffected versionsFix available
parse-server > 9.0.0 , <= 9.5.2-alpha.6 9.5.2-alpha.6
parse-server <= 8.6.19 8.6.19
parseplatform parse-server <= 8.6.19
parseplatform parse-server > 9.0.0 , <= 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parse > 9.0.0 , <= 9.5.2 9.5.2
Original title
Parse Server has a protected fields bypass via logical query operators
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.
nvd CVSS4.0 7.1
Vulnerability type
CWE-284 Improper Access Control
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026