CVE-2026-30228 | THREATINT

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3.

PUBLISHED Reserved 2026-03-04 | Published 2026-03-06 | Updated 2026-03-06 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 8.6.5

affected

< 9.5.0-alpha.3

affected

References

github.com/...server/security/advisories/GHSA-xfh7-phr7-gr2x

github.com/parse-community/parse-server/releases/tag/8.6.5

github.com/...munity/parse-server/releases/tag/9.5.0-alpha.3

cve.org (CVE-2026-30228)

nvd.nist.gov (CVE-2026-30228)

Download JSON