CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

CVE-2026-30229

CVE-2026-30229 affects Parse Server. The readOnlyMasterKey could call POST /loginAs to obtain a valid session token, allowing impersonation of arbitrary users with full read/write access. Impact applies to any deployment using readOnlyMasterKey. The issue is resolved in Parse Server releases 8.6....

CVE-2026-30228

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...

CVE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...

CVE-2026-30228

Parse Server is affected where the readOnlyMasterKey is used with the Files API (POST /files/:filename, DELETE /files/:filename). Prior to versions 8.6.5 and 9.5.0-alpha.3, this could bypass the read-only restriction, allowing an attacker with the readOnlyMasterKey to upload arbitrary files or de...

GHSA-79WJ-8RQV-JVP5 parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Impact The readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. Patches The fix...

EUVD-2026-10059

parse-server's file creation and deletion bypasses readOnlyMasterKey write restriction...

parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction

Impact The readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and expos...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.5 and 9.5.0-alpha.3. These vulnerabilities stemmed from the use of readOnlyMasterKey,...

Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Impact Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to...

PT-2026-23438

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.4 Parse Server versions prior to 9.4.1-alpha.3 Description Parse Server deployments utilizing the readOnlyMasterKey option are susceptible to unauthorized modifications. The readOnlyMasterKey is intended to...

CVE-2026-27595

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read...

GHSA-JHP4-JVQ3-W5XR Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...

EUVD-2026-8593

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions...

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...

Parse Dashboard is Missing Authorization for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and c...

EUVD-2026-8595

Parse Dashboard has incomplete authentication on AI Agent endpoint...

Parse Dashboard has incomplete authentication on AI Agent endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key. Patches The fix adds authentication middleware to th...

GHSA-QWC3-H9MG-4582 Parse Dashboard has incomplete authentication on AI Agent endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key. Patches The fix adds authentication middleware to th...

CVE-2026-27595

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read...