Main Vulnerability Database SB2026040775

SB2026040775 - Protection Mechanism Failure in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040775

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Protection Mechanism Failure (CVE-ID: CVE-2026-30938)

The vulnerability allows a remote attacker to bypass a keyword denylist protection.

The vulnerability exists due to protection mechanism failure in the requestKeywordDenylist keyword scanner when processing request payloads containing a nested object or array before a prohibited keyword. A remote attacker can send a specially crafted request payload to bypass a keyword denylist protection.

The requestKeywordDenylist security control is enabled by default, and custom denylist entries configured by the developer are affected as well.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp