GHSA-HPM8-9QX6-JVWV Parser Server's streaming file download bypasses afterFind file trigger authorization

Impact File downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the default GridFS adapter. This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators...

GHSA-72HP-QFF8-4PVV Parse Server has a protected fields bypass via logical query operators

Impact The validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server...

Parse Server has a protected fields bypass via logical query operators

Impact The validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server...

EUVD-2026-10170

Parse Server: File metadata endpoint bypasses beforeFind / afterFind trigger authorization...

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Impact The file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any...

CVE-2026-30850

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...

CVE-2026-30850

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...

CVE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...

CVE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...

CVE-2023-41058

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

BIT-PARSE-2022-36079 Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server a...

Incorrect Control Flow Implementation

Parse server is vulnerable to Incorrect Control Flow Implementation vulnerability. The vulnerability is caused by not invoking beforeFind trigger when executing the Parse.Query method in certain conditions. This can lead to access control issues when beforeFind is used as a security layer to modi...

Information disclosure

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

GHSA-FCV6-FG5R-JM9Q Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Impact A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query. Patches The...

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Impact A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query. Patches The...

CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

Parse Server Security Vulnerability

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server version 1.0.0, which stems from the Parse Cloud trigger "beforeFind" not being called under certain conditions in "Parse.Query"...

PT-2023-27766 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 5.5.5 Parse Server versions prior to 6.2.2 Description: The issue concerns the Parse Cloud trigger beforeFind not being invoked in certain conditions of Parse.Query. This poses a risk for deployments where the...