Main Vulnerability Database SB2026040773

SB2026040773 - SQL injection in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040773

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: CVE-2026-31856)

The vulnerability allows a remote attacker to disclose sensitive information and modify data.

The vulnerability exists due to SQL injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation through the Parse Server REST API. A remote attacker can send a specially crafted write request to disclose sensitive information and modify data.

MongoDB deployments are not affected. The issue can bypass CLPs and ACLs.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg