SQL Injection Vulnerability in Parse Server PostgreSQL Deployments
CVE-2026-33539

8.6HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33539?

An SQL injection vulnerability exists in Parse Server before versions 8.6.59 and 9.6.0-alpha.53 that allows attackers with master key permissions to execute arbitrary SQL commands on the underlying PostgreSQL database. This exploitation occurs through the injection of SQL metacharacters into specific fields within the aggregate $group pipeline stage or distinct operations. Consequently, it can lead to privilege escalation, providing access from the application-level functionality of Parse Server’s administration to direct database-level manipulation. This issue is strictly relevant to deployments utilizing PostgreSQL, as MongoDB-based systems remain unaffected. Security patches to mitigate this vulnerability are available in the aforementioned versions.

Affected Version(s)

parse-server < 8.6.59 < 8.6.59

parse-server >= 9.0.0, < 9.6.0-alpha.53 < 9.0.0, 9.6.0-alpha.53

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10272
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10273
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.