Class-Level Permission Bypass in Parse Server by Parse Community
CVE-2026-31872

8.7HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
11 March 2026

What is CVE-2026-31872?

A vulnerability in Parse Server allows an attacker to bypass class-level permissions through dot-notation in query WHERE clauses and sort parameters. This weakness can lead to unauthorized access to protected fields, potentially exposing sensitive data. The affected versions include those prior to 9.6.0-alpha.6 and 8.6.32. The vulnerability impacts users utilizing both MongoDB and PostgreSQL implementations, underlining the necessity for immediate updates to secure data integrity.

Affected Version(s)

parse-server >= 9.0.0 < 9.6.0-alpha.6 < 9.0.0 9.6.0-alpha.6

parse-server < 8.6.32 < 8.6.32

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.