GHSA-P2W6-RMH7-W8Q3
Vulnerability from github – Published: 2026-03-24 19:12 – Updated: 2026-03-24 19:12
VLAI?
Summary
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
Details
Impact
An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.
Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.
Patches
Field names in the aggregate $group._id object values and distinct dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the :raw interpolation used in the PostgreSQL storage adapter.
Workarounds
No workaround. Upgrade to a patched version.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.6.0-alpha.53"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.59"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33539"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:12:06Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nAn attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate `$group` pipeline stage or the `distinct` operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.\n\nOnly Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.\n\n### Patches\n\nField names in the aggregate `$group._id` object values and `distinct` dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the `:raw` interpolation used in the PostgreSQL storage adapter.\n\n### Workarounds\n\nNo workaround. Upgrade to a patched version.",
"id": "GHSA-p2w6-rmh7-w8q3",
"modified": "2026-03-24T19:12:06Z",
"published": "2026-03-24T19:12:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10272"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10273"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…