CVE-2026-30850

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:-::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8::::node.js::*

History

10 Mar 2026, 16:55

Type	Values Removed	Values Added
CPE		cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7::::node.js::* cpe:2.3:a:parseplatform:parse-server::::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:-::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2::::node.js::*
References	~~() https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc -~~	() https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc - Vendor Advisory
First Time		Parseplatform Parseplatform parse-server
Summary		(es) Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.9 y 9.5.0-alpha.9, el endpoint de metadatos de archivos (GET /files/:appId/metadata/:filename) no aplica los triggers de archivo beforeFind / afterFind. Cuando estos triggers se utilizan como puertas de control de acceso, el endpoint de metadatos los omite por completo, permitiendo el acceso no autorizado a los metadatos de los archivos. Este problema ha sido parcheado en las versiones 8.6.9 y 9.5.0-alpha.9.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9

07 Mar 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 17:15

Updated : 2026-03-10 16:55

NVD link : CVE-2026-30850

Mitre link : CVE-2026-30850

CVE.ORG link : CVE-2026-30850

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-862

Missing Authorization

5.9 /10