Main Vulnerability Database Vulnerabilities #VU124995

#VU124995 SQL injection in Parse Server - CVE-2026-31871

Published: April 6, 2026

Vulnerability identifier: #VU124995

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-31871

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands and disclose sensitive information.

The vulnerability exists due to SQL injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation. A remote attacker can send crafted write requests to the Parse Server REST API with a malicious sub-key name to execute arbitrary SQL commands and disclose sensitive information.

Only PostgreSQL deployments are affected, and successful exploitation may bypass CLPs and ACLs.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h

#VU124995 SQL injection in Parse Server - CVE-2026-31871

Description

Remediation

External links

Please verify you're human