Improper access control in Parse Server - CVE-2026-30966

 

Improper access control in Parse Server - CVE-2026-30966

Published: April 6, 2026


Vulnerability identifier: #VU124987
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-30966
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass access controls and gain unauthorized access to protected data and operations.

The vulnerability exists due to improper access control in internal relationship tables when handling direct REST API or GraphQL API operations using only the application key. A remote attacker can create, read, update, or delete records in `_Join` tables to bypass access controls and gain unauthorized access to protected data and operations.

Exploitation can allow injection into Parse Roles and can also bypass class-level permissions that rely on Relation fields used in `pointerFields` CLP.


How to mitigate CVE-2026-30966

Install security update from vendor's website.

Sources