CVE-2026-30228

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.5 Parse Server versions prior to 9.5.0-alpha.3

Description The readOnlyMasterKey can be misused to create and delete files through the Files API. Specifically, the API endpoints /files/:filename (POST and DELETE methods) are affected. This bypasses the intended read-only restriction associated with the readOnlyMasterKey, allowing unauthorized file manipulation. An attacker possessing the readOnlyMasterKey can upload arbitrary files or delete existing ones. Any Parse Server deployment utilizing the readOnlyMasterKey and exposing the Files API is susceptible to this issue.

Recommendations Versions prior to 8.6.5 should be updated to version 8.6.5 or later. Versions prior to 9.5.0-alpha.3 should be updated to version 9.5.0-alpha.3 or later. As a workaround, restrict network access to the /files/:filename API endpoints. Alternatively, avoid using the readOnlyMasterKey.