CVE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any...

CVE-2026-30966 Parse Server role escalation and CLP bypass via direct `_Join` table write

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any...

CVE-2026-30966

Parse Server prior to 9.5.2-alpha.7 and 8.6.20 is vulnerable: internal tables backing Relation field mappings are accessible via REST/GraphQL using only the application key, allowing any client to create/read/update/delete records in relation tables and potentially inject themselves into any Pars...

CVE-2026-30965

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting...

CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting...

CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting...

CVE-2026-30965

Parse Server is affected by a vulnerability in its query handling that allowed an attacker to exfiltrate other users’ session tokens via the redirectClassNameForKey query parameter. This could enable account takeover for both authenticated and unauthenticated attackers, depending on Class-Level P...

CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting...

CVE-2026-30962 Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

CVE-2026-30962 Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

CVE-2026-30962

Parse Server is vulnerable prior to versions 9.5.2-alpha.6 and 8.6.19 due to a flawed protection check that only validates top-level query keys for protected fields. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed, allowing any authenticated us...

CVE-2026-30962 Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

CVE-2026-30962

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

CVE-2026-30949

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

CVE-2026-30949

CVE-2026-30949 affects Parse Server deployments using the Keycloak authentication adapter. The issue is that the azp (authorized party) claim in Keycloak access tokens is not validated against the configured client-id, enabling a valid token from one client to authenticate as any user on Parse Se...

CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

CVE-2026-30948 Parse Server has stored cross-site scripting (XSS) via SVG file upload

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting XSS vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with...

CVE-2026-30948 Parse Server has stored cross-site scripting (XSS) via SVG file upload

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting XSS vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with...

CVE-2026-30948 Parse Server has stored cross-site scripting (XSS) via SVG file upload

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting XSS vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with...