CVE-2026-30229

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.6 Parse Server versions prior to 9.5.0-alpha.4

Description Parse Server is an open-source backend deployable on Node.js infrastructures. A read-only master key can be used to call the POST /loginAs API endpoint, allowing the creation of a valid session token for any user. This enables a read-only credential to impersonate any user, gaining full read and write access to their data. Any Parse Server deployment utilizing the readOnlyMasterKey is potentially affected. The fix involves adding a check to the /logInAs handler.

Recommendations Versions prior to 8.6.6 should be updated to version 8.6.6 or later. Versions prior to 9.5.0-alpha.4 should be updated to version 9.5.0-alpha.4 or later. As a workaround, avoid using the readOnlyMasterKey.