Main Vulnerability Database Vulnerabilities #VU124968

#VU124968 Incorrect authorization in Parse Server - CVE-2026-29182

Published: April 6, 2026

Vulnerability identifier: #VU124968

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-29182

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote user to create, modify, and delete Cloud Hooks and start Cloud Jobs to exfiltrate data.

The vulnerability exists due to incorrect authorization in Cloud Hooks and Cloud Jobs endpoints when handling mutating requests authenticated with the readOnlyMasterKey. A remote privileged user can send crafted mutating requests using the readOnlyMasterKey to create, modify, and delete Cloud Hooks and start Cloud Jobs to exfiltrate data.

Only deployments that use the readOnlyMasterKey option are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh

#VU124968 Incorrect authorization in Parse Server - CVE-2026-29182

Description

Remediation

External links

Please verify you're human