Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
Parse Server allows unauthorized data to be sent with certain requests
GHSA-q342-9w2p-57fp
CVE-2026-30938
GHSA-q342-9w2p-57fp
BIT-parse-2026-30938
Summary
A security flaw in Parse Server's controls for restricting certain requests allows attackers to send data that should be blocked. This affects all Parse Server deployments, which are used in various infrastructure environments. To fix this issue, developers should use a Cloud Code trigger to validate incoming data for prohibited keywords.
What to do
- Update parse-server to version 8.6.12.
- Update parse-server to version 9.5.1-alpha.1.
- Update parse to version 9.5.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | <= 8.6.12 | 8.6.12 |
| – | parse-server | > 9.0.0-alpha.1 , <= 9.5.1-alpha.1 | 9.5.1-alpha.1 |
| parseplatform | parse-server | <= 8.6.12 | – |
| parseplatform | parse-server | > 9.0.0 , <= 9.5.1 | – |
| – | parse | > 9.0.0 , <= 9.5.1 | 9.5.1 |
Original title
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Original description
### Impact
The `requestKeywordDenylist` security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom `requestKeywordDenylist` entries configured by the developer are equally by-passable using the same technique.
All Parse Server deployments are affected. The `requestKeywordDenylist` is enabled by default.
### Patches
The fix replaces the recursive object scanner with an iterative stack-based traversal that processes all nested values without prematurely exiting the scan loop. This also eliminates a potential stack overflow on deeply nested payloads.
### Workarounds
Use a Cloud Code `beforeSave` trigger to validate incoming data for prohibited keywords across all classes.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.12
The `requestKeywordDenylist` security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom `requestKeywordDenylist` entries configured by the developer are equally by-passable using the same technique.
All Parse Server deployments are affected. The `requestKeywordDenylist` is enabled by default.
### Patches
The fix replaces the recursive object scanner with an iterative stack-based traversal that processes all nested values without prematurely exiting the scan loop. This also eliminates a potential stack overflow on deeply nested payloads.
### Workarounds
Use a Cloud Code `beforeSave` trigger to validate incoming data for prohibited keywords across all classes.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.12
ghsa CVSS4.0
6.9
Vulnerability type
CWE-693
Protection Mechanism Failure
- https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w...
- https://github.com/parse-community/parse-server/releases/tag/8.6.12
- https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1
- https://github.com/advisories/GHSA-q342-9w2p-57fp
- https://github.com/parse-community/parse-server Product
- https://nvd.nist.gov/vuln/detail/CVE-2026-30938
Published: 10 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026