Main Vulnerability Database Vulnerabilities #VU124968

Incorrect authorization in Parse Server - CVE-2026-29182

Published: April 6, 2026

Vulnerability identifier: #VU124968

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-29182

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Parse Community

Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote user to create, modify, and delete Cloud Hooks and start Cloud Jobs to exfiltrate data.

The vulnerability exists due to incorrect authorization in Cloud Hooks and Cloud Jobs endpoints when handling mutating requests authenticated with the readOnlyMasterKey. A remote privileged user can send crafted mutating requests using the readOnlyMasterKey to create, modify, and delete Cloud Hooks and start Cloud Jobs to exfiltrate data.

Only deployments that use the readOnlyMasterKey option are vulnerable.

How to mitigate CVE-2026-29182

Install security update from vendor's website.

Sources

https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh

Incorrect authorization in Parse Server - CVE-2026-29182

Detailed vulnerability description

How to mitigate CVE-2026-29182

Sources

Please verify you're human