SQL injection in Parse Server - CVE-2026-31871

 

SQL injection in Parse Server - CVE-2026-31871

Published: April 6, 2026


Vulnerability identifier: #VU124995
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-31871
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands and disclose sensitive information.

The vulnerability exists due to SQL injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation. A remote attacker can send crafted write requests to the Parse Server REST API with a malicious sub-key name to execute arbitrary SQL commands and disclose sensitive information.

Only PostgreSQL deployments are affected, and successful exploitation may bypass CLPs and ACLs.


How to mitigate CVE-2026-31871

Install security update from vendor's website.

Sources