Main Vulnerability Database SB2026040787

SB2026040787 - Incorrect authorization in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040787

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect authorization (CVE-ID: CVE-2026-29182)

The vulnerability allows a remote user to create, modify, and delete Cloud Hooks and start Cloud Jobs to exfiltrate data.

The vulnerability exists due to incorrect authorization in Cloud Hooks and Cloud Jobs endpoints when handling mutating requests authenticated with the readOnlyMasterKey. A remote privileged user can send crafted mutating requests using the readOnlyMasterKey to create, modify, and delete Cloud Hooks and start Cloud Jobs to exfiltrate data.

Only deployments that use the readOnlyMasterKey option are vulnerable.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh