CVE-2026-31872

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.32	Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6	Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5::::node.js::*

History

13 Mar 2026, 18:24

Type	Values Removed	Values Added
First Time		Parseplatform Parseplatform parse-server
Summary		(es) Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.6.0-alpha.6 y 8.6.32, el permiso a nivel de clase (CLP) protectedFields puede ser eludido usando la notación de puntos en cláusulas WHERE de consulta y parámetros de ordenación. Un atacante puede usar la notación de puntos para consultar u ordenar por subcampos de un campo protegido, lo que permite un ataque de oráculo binario para enumerar los valores de los campos protegidos. Esto afecta tanto a las implementaciones de MongoDB como de PostgreSQL. Esta vulnerabilidad está corregida en 9.6.0-alpha.6 y 8.6.32.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/parse-community/parse-server/releases/tag/8.6.32 -~~	() https://github.com/parse-community/parse-server/releases/tag/8.6.32 - Product, Release Notes
References	~~() https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6 -~~	() https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6 - Product, Release Notes
References	~~() https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g -~~	() https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g - Patch, Vendor Advisory
CPE		cpe:2.3:a:parseplatform:parse-server::::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2::::node.js::*

11 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 18:16

Updated : 2026-03-13 18:24

NVD link : CVE-2026-31872

Mitre link : CVE-2026-31872

CVE.ORG link : CVE-2026-31872

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-284

Improper Access Control

7.5 /10