EUVD-2026-10882

Parse Server has role escalation and CLP bypass via direct Join table write...

EUVD-2026-10883

Parse Server has role escalation and CLP bypass via direct Join table write...

Missing Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authorization via direct access to internal relationship tables through the REST API or GraphQL API using only the...

Parse Server has role escalation and CLP bypass via direct `_Join` table write

Impact Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any...

GHSA-5F92-JRQ3-28RC Parse Server has role escalation and CLP bypass via direct `_Join` table write

Impact Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any...

EUVD-2026-10880

Parse Server vulnerable to session token exfiltration via redirectClassNameForKey query parameter...

Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

Impact A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30965 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30965 Source advisory: OSV:GHSA-6R2J-CXGF-495F...

EUVD-2026-10881

Parse Server vulnerable to session token exfiltration via redirectClassNameForKey query parameter...

GHSA-6R2J-CXGF-495F Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

Impact A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the redirectClassNameForKey query parameter handling. An unauthenticated attacker can gain...

EUVD-2026-10879

Parse Server has a protected fields bypass via logical query operators...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30962 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30962 Source advisory: OSV:GHSA-72HP-QFF8-4PVV...

GHSA-72HP-QFF8-4PVV Parse Server has a protected fields bypass via logical query operators

Impact The validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server...

EUVD-2026-10878

Parse Server has a protected fields bypass via logical query operators...

Parse Server has a protected fields bypass via logical query operators

Impact The validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the query validation. An authenticated user can access sensitive field values by wrapping...

EUVD-2026-10869

Parse Server missing audience validation in Keycloak authentication adapter...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30949 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30949 Source advisory: OSV:GHSA-48MH-J4P5-7J9V...

EUVD-2026-10868

Parse Server missing audience validation in Keycloak authentication adapter...