Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.3

Parse Server: File metadata exposed to unauthorized users

CVE-2026-30850 GHSA-hwx8-q9cg-mqmc
Summary

If you're using a version of Parse Server prior to 8.6.9 or 9.5.0-alpha.9, an attacker could access file metadata without permission. This is fixed in the latest versions of the software. Update to the latest version to prevent unauthorized access.

What to do
  • Update parse-server to version 8.6.9.
  • Update parse-server to version 9.5.0-alpha.9.
Affected software
VendorProductAffected versionsFix available
parse-server <= 8.6.9 8.6.9
parse-server > 9.0.0-alpha.1 , <= 9.5.0-alpha.9 9.5.0-alpha.9
parseplatform parse-server <= 8.6.9
parseplatform parse-server > 9.0.0 , <= 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
Original title
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/meta...
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.
nvd CVSS4.0 6.3
Vulnerability type
CWE-862 Missing Authorization
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026