CVE-2026-30962

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.6 Parse Server versions prior to 8.6.19

Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its validation process for protected fields. The validation only examines top-level query keys, allowing authenticated users to bypass the protection by embedding query constraints on protected fields within logical operators. This enables unauthorized access and extraction of values from protected fields, as default protected fields exist in all Parse Server deployments.

Recommendations Update to Parse Server version 9.5.2-alpha.6 or later. Update to Parse Server version 8.6.19 or later.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

BIT-PARSE-2026-30962

CVE-2026-30962

GHSA-72HP-QFF8-4PVV

Affected Products

Parse Server

CVE-2026-30962

Weakness Enumeration

Related Identifiers

Affected Products

References · 10