CVE-2026-29182

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.4	Release Notes Patch
https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3	Release Notes Patch
https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.4.1:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.4.1:alpha2::::node.js::*

History

No history.

Information

Published : 2026-03-06 21:16

Updated : 2026-03-10 19:53

NVD link : CVE-2026-29182

Mitre link : CVE-2026-29182

CVE.ORG link : CVE-2026-29182

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-29182", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T21:16:15.137", "references": [{"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.4", "tags": ["Release Notes", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3", "tags": ["Release Notes", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.4 y 9.4.1-alpha.3, la opci\u00f3n readOnlyMasterKey de Parse Server permite el acceso con privilegios de lectura a nivel maestro, pero est\u00e1 documentada para denegar todas las operaciones de escritura. Sin embargo, algunos endpoints aceptan incorrectamente la readOnlyMasterKey para operaciones de mutaci\u00f3n. Esto permite a un llamador que solo posee la readOnlyMasterKey crear, modificar y eliminar Cloud Hooks e iniciar Cloud Jobs, lo que puede ser utilizado para la exfiltraci\u00f3n de datos. Cualquier despliegue de Parse Server que utilice la opci\u00f3n readOnlyMasterKey se ve afectado. Tenga en cuenta que un atacante necesita conocer la readOnlyMasterKey para explotar esta vulnerabilidad. Este problema ha sido parcheado en las versiones 8.6.4 y 9.4.1-alpha.3."}], "lastModified": "2026-03-10T19:53:34.383", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "41A471BF-7EE9-4E57-B9F6-1BDB37D27275", "versionEndExcluding": "8.6.4"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9FF0ADC7-6AA6-44F7-8CA9-E0A2F1C1D63A", "versionEndIncluding": "9.4.0", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.4.1:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CC1C695A-70C0-45C8-867F-4541537F370B"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.4.1:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "2B1E392B-A41C-460C-8811-AA0473393870"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}