SQL Injection Vulnerability in Parse Server by Parse Community
CVE-2026-31840

9.3CRITICAL

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
11 March 2026

What is CVE-2026-31840?

A serious vulnerability exists in Parse Server, allowing attackers to execute SQL injection attacks against PostgreSQL databases. This occurs due to improper escaping of sub-field values in dot-notation field names used in combination with sort, distinct, and where query parameters. Versions prior to 9.6.0-alpha.2 and 8.6.28 are affected. Users should update to the latest versions to mitigate this risk. For further details, refer to the advisory and release notes.

Affected Version(s)

parse-server >= 9.0.0 < 9.6.0-alpha.2 < 9.0.0 9.6.0-alpha.2

parse-server < 8.6.28 < 8.6.28

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.