Main Vulnerability Database Vulnerabilities #VU124982

#VU124982 SQL injection in Parse Server - CVE-2026-31856

Published: April 6, 2026

Vulnerability identifier: #VU124982

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-31856

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to disclose sensitive information and modify data.

The vulnerability exists due to SQL injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation through the Parse Server REST API. A remote attacker can send a specially crafted write request to disclose sensitive information and modify data.

MongoDB deployments are not affected. The issue can bypass CLPs and ACLs.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg

#VU124982 SQL injection in Parse Server - CVE-2026-31856

Description

Remediation

External links

Please verify you're human