CVE-2026-30938

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.12 Parse Server versions prior to 9.5.1-alpha.1

Description A logic flaw in the requestKeywordDenylist security control allows bypassing restrictions by placing nested objects or arrays before prohibited keywords in the request payload. The issue stems from a bug that halts scanning of sibling keys after encountering the first nested value, impacting both default and custom requestKeywordDenylist entries. This affects all Parse Server deployments where the requestKeywordDenylist is enabled. The fix involves replacing the recursive object scanner with an iterative stack-based traversal to process all nested values without prematurely exiting the scan loop.

Recommendations Versions prior to 8.6.12: Update to version 8.6.12 or later. Versions prior to 9.5.1-alpha.1: Update to version 9.5.1-alpha.1 or later. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.