CVE-2026-32234

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.10 Parse Server versions prior to 8.6.36

Description Parse Server is an open-source backend deployable on infrastructures running Node.js. An attacker with access to the master key can inject malicious SQL code through crafted field names used in query constraints when Parse Server is configured with PostgreSQL. The field name within a $regex query operator is passed to PostgreSQL using unparameterized string interpolation, enabling manipulation of the SQL query. This SQL injection bypasses Parse Server's abstraction layer and operates directly at the database level. The issue affects deployments utilizing PostgreSQL. The API endpoint is not explicitly mentioned. The vulnerable parameter is the field name used in the $regex query operator.

Recommendations Update Parse Server to version 9.6.0-alpha.10 or later. Update Parse Server to version 8.6.36 or later.