Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Parse Server allows unauthorized access to sensitive data and operations
CVE-2026-29182
GHSA-vc89-5g3r-cmhh
GHSA-vc89-5g3r-cmhh
Summary
If you're using Parse Server, an attacker with a specific key could delete or modify certain settings and access sensitive data, but only if they have that key. To fix this, update to Parse Server version 8.6.4 or 9.4.1-alpha.3 or later.
What to do
- Update parseadmin parse-server to version 9.4.1-alpha.3.
- Update parseadmin parse-server to version 8.6.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| parseadmin | parse-server | > 9.0.0 , <= 9.4.1-alpha.2 | 9.4.1-alpha.3 |
| parseadmin | parse-server | <= 8.6.3 | 8.6.4 |
| parseadmin | parse-server | > 9.0.0 , <= 9.4.1-alpha.3 | 9.4.1-alpha.3 |
| parseadmin | parse-server | <= 8.6.4 | 8.6.4 |
| parseplatform | parse-server | <= 8.6.4 | – |
| parseplatform | parse-server | > 9.0.0 , <= 9.4.0 | – |
| parseplatform | parse-server | 9.4.1 | – |
| parseplatform | parse-server | 9.4.1 | – |
Original title
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows acc...
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.
nvd CVSS4.0
8.6
Vulnerability type
CWE-863
Incorrect Authorization
- https://github.com/advisories/GHSA-vc89-5g3r-cmhh
- https://github.com/parse-community/parse-server/releases/tag/8.6.4
- https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3
- https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g...
- https://nvd.nist.gov/vuln/detail/CVE-2026-29182
- https://github.com/parse-community/parse-server Product
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026