CVE-2026-31856

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0 Parse Server versions prior to 8.6.29

Description Parse Server, an open-source backend deployable on Node.js infrastructures, contains a SQL injection issue within its PostgreSQL storage adapter. This occurs when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is directly inserted into SQL queries without proper parameterization or type validation. An attacker capable of sending write requests to the Parse Server REST API can inject arbitrary SQL subqueries, potentially reading any data from the database and bypassing Check Level Permissions (CLPs) and Access Control Lists (ACLs). Deployments utilizing MongoDB are not affected.

Recommendations For versions prior to 9.6.0, upgrade to version 9.6.0 or later. For versions prior to 8.6.29, upgrade to version 8.6.29 or later.