Main Vulnerability Database SB2026040786

SB2026040786 - Incorrect authorization in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040786

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect authorization (CVE-ID: CVE-2026-30228)

The vulnerability allows a remote user to modify files.

The vulnerability exists due to incorrect authorization in the Files API when handling file creation and deletion requests with the readOnlyMasterKey. A remote privileged user can send crafted POST or DELETE requests to modify files.

Only deployments that use readOnlyMasterKey and expose the Files API are vulnerable.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phr7-gr2x