Parse Server: Malicious File Upload and Deletion via readOnlyMasterKey

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

Parse Server: Malicious File Upload and Deletion via readOnlyMasterKey

CVE-2026-30228 GHSA-xfh7-phr7-gr2x GHSA-xfh7-phr7-gr2x

Summary

Parse Server deployments that use the readOnlyMasterKey and expose the Files API are at risk of unauthorized file uploads or deletions. An attacker with access to the readOnlyMasterKey can exploit this vulnerability to create or delete files. Upgrade to version 8.6.5 or 9.5.0-alpha.3 to patch the issue.

What to do

Update parseadmin parse-server to version 9.5.0-alpha.3.
Update parseadmin parse-server to version 8.6.5.

Affected software

Vendor	Product	Affected versions	Fix available
parseadmin	parse-server	> 9.0.0 , <= 9.5.0-alpha.3	9.5.0-alpha.3
parseadmin	parse-server	<= 8.6.5	8.6.5
parseplatform	parse-server	<= 8.6.5	–
parseplatform	parse-server	> 9.0.0 , <= 9.4.1	–
parseplatform	parse-server	9.5.0	–
parseplatform	parse-server	9.5.0	–

Original title

Original description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3.

nvd CVSS4.0 6.9

Vulnerability type

CWE-863 Incorrect Authorization

Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026