Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.3

Parse Server allows unauthorized access to sensitive files

CVE-2026-30848 GHSA-hm3f-q6rw-m6wh
Summary

Parse Server, a backend service, had a security weakness that allowed hackers to access files they shouldn't be able to see. This was fixed in versions 8.6.8 and 9.5.0-alpha.8, so update your Parse Server to these versions to stay secure.

What to do
  • Update parse-server to version 8.6.8.
  • Update parse-server to version 9.5.0-alpha.8.
Affected software
VendorProductAffected versionsFix available
parse-server <= 8.6.8 8.6.8
parse-server > 9.0.0-alpha.1 , <= 9.5.0-alpha.8 9.5.0-alpha.8
parseplatform parse-server <= 8.6.8
parseplatform parse-server > 9.0.0 , <= 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
parseplatform parse-server 9.5.0
Original title
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulne...
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.
nvd CVSS4.0 6.3
Vulnerability type
CWE-22 Path Traversal
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026