CVE-2026-29182

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.4 Parse Server versions prior to 9.4.1-alpha.3

Description Parse Server deployments utilizing the readOnlyMasterKey option are susceptible to unauthorized modifications. The readOnlyMasterKey is intended to grant read-only access, but certain endpoints incorrectly permit mutating operations when using this key. This allows an attacker possessing the readOnlyMasterKey to create, modify, and delete Cloud Hooks and initiate Cloud Jobs, potentially leading to data exfiltration. The vulnerable endpoints incorrectly process the readOnlyMasterKey for operations that should be restricted. The readOnlyMasterKey variable is misused in authorization checks.

Recommendations Parse Server versions prior to 8.6.4 should be upgraded to version 8.6.4 or later. Parse Server versions prior to 9.4.1-alpha.3 should be upgraded to version 9.4.1-alpha.3 or later. If upgrading is not immediately possible, ensure the readOnlyMasterKey value is not shared with untrusted parties.