BIT-PARSE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client...

CVE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any...

CVE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any...

CVE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any...

CVE-2026-30966

Parse Server prior to 9.5.2-alpha.7 and 8.6.20 is vulnerable: internal tables backing Relation field mappings are accessible via REST/GraphQL using only the application key, allowing any client to create/read/update/delete records in relation tables and potentially inject themselves into any Pars...