CVE-2026-33539

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.59 Parse Server versions prior to 9.6.0-alpha.53

Description Parse Server, an open source backend deployable on Node.js infrastructure, contains a flaw where an attacker possessing master key access can execute arbitrary SQL statements on a PostgreSQL database. This is achieved by injecting SQL metacharacters into field name parameters within the aggregate $group pipeline stage or the distinct operation. Successful exploitation allows for privilege escalation, granting the attacker PostgreSQL database-level access from their existing Parse Server application-level administrator privileges. Deployments utilizing MongoDB are not impacted by this issue. The vulnerability stems from insufficient validation of field names in the aggregate $group. id object values and distinct dot-notation parameters, allowing for SQL injection through the :raw interpolation used in the PostgreSQL storage adapter.

Recommendations Upgrade to Parse Server version 8.6.59 or later. Upgrade to Parse Server version 9.6.0-alpha.53 or later.