CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

GHSA-79WJ-8RQV-JVP5 parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Impact The readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. Patches The fix...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.6 and 9.5.0-alpha.4. These vulnerabilities stemmed from the ability of readOnlyMasterKey...

PT-2026-23753

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.6 Parse Server versions prior to 9.5.0-alpha.4 Description Parse Server is an open-source backend deployable on Node.js infrastructures. A read-only master key can be used to call the POST /loginAs API...