Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Parse Server allows attackers to access hidden data through special syntax
GHSA-r2m8-pxm9-9c4g
CVE-2026-31872
Summary
An attacker can use a special syntax to access data that is supposed to be hidden in Parse Server. This can happen in both MongoDB and PostgreSQL deployments. To fix this, update Parse Server to version 9.6.0-alpha.6 or 8.6.32, as the new versions block this kind of access.
What to do
- Update parse-server to version 9.6.0-alpha.6.
- Update parse-server to version 8.6.32.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0-alpha.1 , <= 9.6.0-alpha.6 | 9.6.0-alpha.6 |
| – | parse-server | <= 8.6.32 | 8.6.32 |
Original title
Parse Server has a protected fields bypass via dot-notation in query and sort
Original description
### Impact
The `protectedFields` class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values.
This affects both MongoDB and PostgreSQL deployments.
### Patches
The fix ensures that query WHERE clause keys and sort keys are checked against protected fields by extracting the root field from dot-notation paths. For example, a query on `secretObj.apiKey` is now correctly blocked when `secretObj` is a protected field.
### Workarounds
None.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.32
The `protectedFields` class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values.
This affects both MongoDB and PostgreSQL deployments.
### Patches
The fix ensures that query WHERE clause keys and sort keys are checked against protected fields by extracting the root field from dot-notation paths. For example, a query on `secretObj.apiKey` is now correctly blocked when `secretObj` is a protected field.
### Workarounds
None.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.32
ghsa CVSS4.0
8.7
Vulnerability type
CWE-284
Improper Access Control
- https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-px...
- https://github.com/parse-community/parse-server/releases/tag/8.6.32
- https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6
- https://github.com/advisories/GHSA-r2m8-pxm9-9c4g
- https://nvd.nist.gov/vuln/detail/CVE-2026-31872
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026