Cyber Resilience

CVE-2026-29182

High

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29182 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-29182 is a high-severity authorization vulnerability (CWE-863) in Parse Server, an open-source backend deployable on any Node.js infrastructure. In versions prior to 8.6.4 and 9.4.1-alpha.3, the readOnlyMasterKey option, which is documented to provide master-level read privileges while denying all write operations, incorrectly permits mutating actions on certain endpoints. This flaw enables unauthorized modifications despite the read-only intent, affecting any Parse Server deployment that enables the readOnlyMasterKey option.

An attacker with knowledge of the readOnlyMasterKey—who requires high privileges (PR:H) as per the CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)—can exploit this over the network with low complexity. Successful exploitation allows the creation, modification, or deletion of Cloud Hooks, as well as the initiation of Cloud Jobs, potentially leading to data exfiltration from the targeted Parse Server instance.

Parse Server has addressed this issue in versions 8.6.4 and 9.4.1-alpha.3, as detailed in the project's release notes and security advisory (GHSA-vc89-5g3r-cmhh). Security practitioners should upgrade to these patched versions and review deployments using the readOnlyMasterKey option to ensure proper key management and restrict its exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all…

more

write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

CVE enables exploitation of public-facing Parse Server (T1190) via flawed readOnlyMasterKey auth, directly facilitating privilege escalation from read-only to mutating operations (T1068) and server-side JS execution via Cloud Hooks/Jobs (T1059.007).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34532Same product: Parseplatform Parse-Server
CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-30965Same product: Parseplatform Parse-Server
CVE-2026-30229Same product: Parseplatform Parse-Server
CVE-2026-30863Same product: Parseplatform Parse-Server
CVE-2026-33539Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-31828Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.4.1 · ≤ 8.6.4 · 9.0.0 — 9.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that the readOnlyMasterKey may only be used for read operations and rejects its use on mutating Cloud Hooks/Jobs endpoints.

prevent

Ensures the readOnlyMasterKey is restricted to the minimal privileges documented (read-only), preventing the unintended write access observed in the CVE.

prevent

Requires prompt application of the vendor patches (8.6.4 / 9.4.1-alpha.3) that correct the incorrect authorization checks for the readOnlyMasterKey.

References