CVE-2026-30966
Published: 10 March 2026
Summary
CVE-2026-30966 is a critical-severity Improper Access Control (CWE-284) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on API requests to internal relation tables, preventing unauthorized CRUD operations using only the application key.
Requires timely remediation and patching of the Parse Server flaw exposing internal tables prior to versions 9.5.2-alpha.7 and 8.6.20.
Limits privileges of application keys to minimal necessary access, mitigating privilege escalation via role injection and CLP bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in Parse Server REST/GraphQL API allows unauthenticated attackers with only the app key to directly manipulate internal role-relation tables, enabling account manipulation to join privileged roles and bypass CLP authorization checks (T1078/T1098). This is a direct exploitation of a public-facing application interface (T1190) and abuse of the authorization mechanism (T1548).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed…
more
via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.
Deeper analysisAI
CVE-2026-30966 is an improper access control vulnerability (CWE-284) in Parse Server, an open source backend deployable on any Node.js infrastructure. Versions prior to 9.5.2-alpha.7 and 8.6.20 expose internal tables that store Relation field mappings, such as role memberships, to direct access via the REST API or GraphQL API. This access requires only the application key, with no master key needed, allowing arbitrary creation, reading, updating, or deletion of records in these tables. The issue carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L), indicating critical severity.
Any remote attacker with knowledge of an affected Parse Server's application key can exploit this vulnerability without authentication or user interaction. By manipulating internal relationship tables, the attacker can inject themselves into any Parse Role, thereby inheriting all associated permissions, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Additionally, writing to tables backing Relation fields used in pointerFields CLP enables bypass of those access controls, potentially granting comprehensive data manipulation across the application.
The vulnerability is addressed in Parse Server releases 9.5.2-alpha.7 and 8.6.20, as detailed in the corresponding GitHub release notes and security advisory GHSA-5f92-jrq3-28rc. Security practitioners should upgrade to these versions or later to mitigate the issue, ensuring that internal tables are no longer directly accessible without proper authorization.
Details
- CWE(s)