Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.3

Parse Server: SQL Injection via Malicious Database Queries

GHSA-q3vj-96h2-gwvg CVE-2026-31856
Summary

Parse Server's PostgreSQL adapter has a vulnerability that allows hackers to access sensitive data by sending malicious database requests. This only affects Parse Server with PostgreSQL, not MongoDB. To fix the issue, update to Parse Server version 9.6.0-alpha.3 or 8.6.29.

What to do
  • Update parse-server to version 9.6.0-alpha.3.
  • Update parse-server to version 8.6.29.
Affected software
VendorProductAffected versionsFix available
parse-server > 9.0.0-alpha.1 , <= 9.6.0-alpha.3 9.6.0-alpha.3
parse-server <= 8.6.29 8.6.29
parseplatform parse-server <= 8.6.29
parseplatform parse-server > 9.0.0 , <= 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
Original title
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increm...
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.
ghsa CVSS4.0 9.3
Vulnerability type
CWE-89 SQL Injection
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026