Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.19 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/releases/tag/8.6.19ProductRelease Notes
- https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.6ProductRelease Notes
- https://github.com/parse-community/parse-server/security/advisories/GHSA-72hp-qfMitigationPatchVendor Advisory
FAQ
What is CVE-2026-30962?
CVE-2026-30962 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level que...
How severe is CVE-2026-30962?
CVE-2026-30962 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30962?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.