CVE-2026-31872

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.6 Parse Server versions prior to 8.6.32

Description Parse Server is an open source backend deployable on Node.js infrastructures. A flaw exists in the class-level permission (CLP) feature, specifically with the protectedFields setting. An attacker can bypass this protection by utilizing dot-notation within query WHERE clauses and sort parameters. This allows querying or sorting by sub-fields of a protected field, potentially enabling a binary oracle attack to reveal values of those protected fields. This issue impacts both MongoDB and PostgreSQL deployments. The vulnerability is related to how query keys and sort keys are checked against protected fields, failing to extract the root field from dot-notation paths. For example, a query on secretObj.apiKey was not correctly blocked when secretObj was a protected field.

Recommendations Versions prior to 9.6.0-alpha.6 should be updated to version 9.6.0-alpha.6 or later. Versions prior to 8.6.32 should be updated to version 8.6.32 or later.