CVE-2026-30850

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.9 Parse Server versions prior to 9.5.0-alpha.9

Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the file metadata endpoint does not enforce beforeFind and afterFind file triggers for versions prior to 8.6.9 and 9.5.0-alpha.9. When these triggers are used for access control, the metadata endpoint bypasses them, potentially allowing unauthorized access to file metadata. The vulnerable API endpoint is /files/:appId/metadata/:filename.

Recommendations Update to Parse Server version 8.6.9 or later. Update to Parse Server version 9.5.0-alpha.9 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BIT-PARSE-2026-30850

CVE-2026-30850

GHSA-HWX8-Q9CG-MQMC

Affected Products

Parse Server

CVE-2026-30850

Weakness Enumeration

Related Identifiers

Affected Products

References · 12