CVE-2026-30966

Parse · Parse Server

Parse Server is vulnerable to unauthorized access of internal relation tables via REST or GraphQL APIs, allowing privilege escalation via role manipulation.

Executive summary

A critical vulnerability in Parse Server allows unauthenticated attackers to manipulate internal relation tables, leading to full unauthorized access and privilege escalation.

Vulnerability

The application fails to enforce master key requirements for internal table access, allowing any client with an application key to perform unauthorized CRUD operations on relation mappings. This vulnerability allows an unauthenticated attacker to inject themselves into privileged roles and bypass Class-Level Permissions (CLP).

Business impact

Successful exploitation grants an attacker full administrative control over the backend data, including the ability to read, modify, or delete sensitive records. Given the CVSS score of 10.0, this represents a complete compromise of the application's integrity and confidentiality, potentially resulting in significant data breaches and total loss of system security.

Remediation

Immediate Action: Upgrade Parse Server installations to version 9.5.2-alpha.7 or 8.6.20 immediately.

Proactive Monitoring: Review API access logs for anomalous requests targeting internal relation tables or unexpected changes to user role memberships.

Compensating Controls: Implement strict network-level access controls to limit access to API endpoints to known, trusted IP addresses while the update is being staged.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

This vulnerability is highly critical due to the lack of necessary authentication checks for sensitive database operations. Administrators must prioritize patching Parse Server to the identified secure versions to prevent unauthorized privilege escalation and data manipulation.