2 matches found
GHSA-5F92-JRQ3-28RC Parse Server has role escalation and CLP bypass via direct `_Join` table write
Impact Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any...
CVE-2026-30966
Parse Server prior to 9.5.2-alpha.7 and 8.6.20 is vulnerable: internal tables backing Relation field mappings are accessible via REST/GraphQL using only the application key, allowing any client to create/read/update/delete records in relation tables and potentially inject themselves into any Pars...