CVE-2026-29182
Published: 06 March 2026
Summary
CVE-2026-29182 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing Parse Server (T1190) via flawed readOnlyMasterKey auth, directly facilitating privilege escalation from read-only to mutating operations (T1068) and server-side JS execution via Cloud Hooks/Jobs (T1059.007).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all…
more
write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.
Deeper analysisAI
CVE-2026-29182 is a high-severity authorization vulnerability (CWE-863) in Parse Server, an open-source backend deployable on any Node.js infrastructure. In versions prior to 8.6.4 and 9.4.1-alpha.3, the readOnlyMasterKey option, which is documented to provide master-level read privileges while denying all write operations, incorrectly permits mutating actions on certain endpoints. This flaw enables unauthorized modifications despite the read-only intent, affecting any Parse Server deployment that enables the readOnlyMasterKey option.
An attacker with knowledge of the readOnlyMasterKey—who requires high privileges (PR:H) as per the CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)—can exploit this over the network with low complexity. Successful exploitation allows the creation, modification, or deletion of Cloud Hooks, as well as the initiation of Cloud Jobs, potentially leading to data exfiltration from the targeted Parse Server instance.
Parse Server has addressed this issue in versions 8.6.4 and 9.4.1-alpha.3, as detailed in the project's release notes and security advisory (GHSA-vc89-5g3r-cmhh). Security practitioners should upgrade to these patched versions and review deployments using the readOnlyMasterKey option to ensure proper key management and restrict its exposure.
Details
- CWE(s)