CVE-2026-32878

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.20 Parse Server versions prior to 8.6.44

Description Parse Server, an open-source backend deployable on Node.js infrastructures, is affected by an issue where an attacker can bypass request keyword denylist protection and class-level permissions for adding fields. This is achieved by sending a crafted request that exploits prototype pollution within the deep copy mechanism. Successful exploitation allows the injection of fields into class schemas with restricted field addition, potentially causing permanent schema type conflicts that cannot be resolved, even with master key access. The issue stems from parse-server’s reliance on a cloning mechanism that alters data before security checks, specifically the deep copy step stripping proto properties. The vulnerable third-party deep copy library was replaced with a built-in deep clone mechanism in newer versions.

Recommendations Parse Server versions prior to 9.6.0-alpha.20 should be updated to version 9.6.0-alpha.20 or later. Parse Server versions prior to 8.6.44 should be updated to version 8.6.44 or later.