Lucene search
K

11 matches found

RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.5 views

CVE-2026-30228

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...

6.9CVSS5.8AI score0.00329EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/06 8:26 p.m.14 views

CVE-2026-30229

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

8.5CVSS5.8AI score0.00388EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/06 8:26 p.m.20 views

CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

8.5CVSS0.00388EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/06 8:25 p.m.6 views

CVE-2026-30228

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...

6.9CVSS5.8AI score0.00329EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/06 8:24 p.m.2 views

CVE-2026-29182 Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some...

8.6CVSS5.7AI score0.0038EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/06 6:46 p.m.1 views

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the /loginAs endpoint when using the readOnlyMasterKey credential. An attacker can impersonate...

8.5CVSS5.9AI score0.00388EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/06 6:45 p.m.7 views

parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction

Impact The readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and expos...

6.9CVSS5.9AI score0.00329EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/05 12:33 a.m.12 views

Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Impact Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to...

8.6CVSS5.9AI score0.0038EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/05 12:33 a.m.3 views

GHSA-VC89-5G3R-CMHH Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Impact Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to...

8.6CVSS5.9AI score0.0038EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/02/26 4:15 a.m.8 views

CVE-2026-27595

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read...

9.9CVSS5.8AI score0.0045EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/25 2:16 a.m.4 views

CVE-2026-27608 Parse Dashboard Missing Authorization on Agent Endpoint

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by...

9.3CVSS5.4AI score0.0022EPSS
Exploits0References2
Rows per page
Query Builder