Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.5 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/releases/tag/8.6.5Release NotesProduct
- https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.3Release NotesProduct
- https://github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phVendor Advisory
FAQ
What is CVE-2026-30228?
CVE-2026-30228 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delet...
How severe is CVE-2026-30228?
CVE-2026-30228 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30228?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.