CVE-2026-30835

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.7 Parse Server versions prior to 9.5.0-alpha.6

Description Parse Server is an open-source backend deployable on Node.js infrastructures. A malformed $regex query parameter, such as [abc), can cause the database to return a structured error object unsanitized through the API response. This exposes database internals, including error messages, error codes, code names, cluster timestamps, and topology details. The issue is exploitable by any client capable of sending query requests, contingent on the deployment’s permission settings. The vulnerable parameter is $regex. The API endpoint receiving the vulnerable parameter is not specified.

Recommendations Upgrade to Parse Server version 8.6.7 or later. Upgrade to Parse Server version 9.5.0-alpha.6 or later.