CVE-2026-32878 Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that...

CVE-2026-32878

Parse Server is vulnerable to prototype pollution in its deep copy path prior to versions 9.6.0-alpha.20 and 8.6.44. An attacker can bypass the default denylist and class-level field-adding permissions by crafting a request, allowing injection of fields into locked schemas and causing permanent s...