CVE-2026-31871

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.5 and versions prior to 8.6.31

Description Parse Server, a backend deployable on Node.js infrastructures, contains a SQL injection issue in the PostgreSQL storage adapter. This occurs when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is directly inserted into SQL string literals without proper escaping. An attacker capable of sending write requests to the Parse Server REST API can inject arbitrary SQL code through a manipulated sub-key name containing single quotes. This could lead to command execution or data retrieval from the database, bypassing CLPs and ACLs. The issue affects only deployments utilizing PostgreSQL. The fix involves escaping single quotes in the sub-key name before interpolation into the SQL query. The vulnerable operation involves the use of the REST API. The vulnerable parameter is the sub-key name within the dot notation (e.g., stats.'evil').

Recommendations Versions prior to 9.6.0-alpha.5 should be updated to version 9.6.0-alpha.5 or later. Versions prior to 8.6.31 should be updated to version 8.6.31 or later.