Main Vulnerability Database SB2026040760

SB2026040760 - SQL injection in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040760

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: CVE-2026-31871)

The vulnerability allows a remote attacker to execute arbitrary SQL commands and disclose sensitive information.

The vulnerability exists due to SQL injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation. A remote attacker can send crafted write requests to the Parse Server REST API with a malicious sub-key name to execute arbitrary SQL commands and disclose sensitive information.

Only PostgreSQL deployments are affected, and successful exploitation may bypass CLPs and ACLs.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h