Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerability is exploitable by any client that can send query requests, depending on the deployment's permission configuration. This issue has been patched in versions 8.6.7 and 9.5.0-alpha.6.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.7 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/releases/tag/8.6.7ProductRelease Notes
- https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.6ProductRelease Notes
- https://github.com/parse-community/parse-server/security/advisories/GHSA-9cp7-3qPatchVendor Advisory
FAQ
What is CVE-2026-30835?
CVE-2026-30835 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes ...
How severe is CVE-2026-30835?
CVE-2026-30835 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30835?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.