GHSA-VC89-5G3R-CMHH

Vulnerability from github – Published: 2026-03-05 00:33 – Updated: 2026-03-06 22:51
VLAI?
Summary
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
Details

Impact

Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration.

Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability.

Patches

The fix adds authorization checks, rejecting mutating requests made with the readOnlyMasterKey.

Workarounds

There is no known workaround other than upgrading. If upgrading is not immediately possible, ensure the readOnlyMasterKey value is not shared with untrusted parties.

Resources

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh
  • Fixed in Parse Server 9.4.1-alpha.3: https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3
  • Fixed in Parse Server 8.6.4: https://github.com/parse-community/parse-server/releases/tag/8.6.4
Severity ?
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.1-alpha.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.4.1-alpha.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.6.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T00:33:18Z",
    "nvd_published_at": "2026-03-06T21:16:15Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nParse Server\u0027s `readOnlyMasterKey` option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the `readOnlyMasterKey` for mutating operations. This allows a caller who only holds the `readOnlyMasterKey` to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration.\n\nAny Parse Server deployment that uses the `readOnlyMasterKey` option is affected. Note than an attacker needs to know the `readOnlyMasterKey` to exploit this vulnerability.\n\n### Patches\n\nThe fix adds authorization checks, rejecting mutating requests made with the `readOnlyMasterKey`.\n\n### Workarounds\n\nThere is no known workaround other than upgrading. If upgrading is not immediately possible, ensure the `readOnlyMasterKey` value is not shared with untrusted parties.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh\n- Fixed in Parse Server 9.4.1-alpha.3: https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3\n- Fixed in Parse Server 8.6.4: https://github.com/parse-community/parse-server/releases/tag/8.6.4",
  "id": "GHSA-vc89-5g3r-cmhh",
  "modified": "2026-03-06T22:51:35Z",
  "published": "2026-03-05T00:33:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29182"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Server\u0027s Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.