Lucene search
K

6 matches found

Cvelist
Cvelist
added 2026/03/06 8:26 p.m.21 views

CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

8.5CVSS0.00388EPSS
Exploits0References3
CVE
CVE
added 2026/03/06 8:26 p.m.16 views

CVE-2026-30229

CVE-2026-30229 affects Parse Server. The readOnlyMasterKey could call POST /loginAs to obtain a valid session token, allowing impersonation of arbitrary users with full read/write access. Impact applies to any deployment using readOnlyMasterKey. The issue is resolved in Parse Server releases 8.6....

8.5CVSS5.8AI score0.00388EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/06 8:26 p.m.6 views

CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

8.5CVSS5.9AI score0.00388EPSS
Exploits0References5
Snyk
Snyk
added 2026/03/06 6:46 p.m.1 views

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the /loginAs endpoint when using the readOnlyMasterKey credential. An attacker can impersonate...

8.5CVSS5.9AI score0.00388EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/06 6:46 p.m.5 views

EUVD-2026-10060

parse-server's endpoint /loginAs allows readOnlyMasterKey to gain full read and write access as any user...

8.5CVSS5.8AI score0.00388EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/06 6:46 p.m.9 views

parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Impact The readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. Patches The fix...

8.5CVSS5.9AI score0.00388EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder