SQL injection in Parse Server - CVE-2026-31856

 

SQL injection in Parse Server - CVE-2026-31856

Published: April 6, 2026


Vulnerability identifier: #VU124982
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-31856
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and modify data.

The vulnerability exists due to SQL injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation through the Parse Server REST API. A remote attacker can send a specially crafted write request to disclose sensitive information and modify data.

MongoDB deployments are not affected. The issue can bypass CLPs and ACLs.


How to mitigate CVE-2026-31856

Install security update from vendor's website.

Sources