CVE-2026-31840
Published: 11 March 2026
Summary
CVE-2026-31840 is a critical-severity SQL Injection (CWE-89) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the SQL injection flaw in Parse Server versions prior to 9.6.0-alpha.2 and 8.6.28 to remediate improper escaping of dot-notation query parameters.
Requires validation and sanitization of user inputs in sort, distinct, and where query parameters to block SQL injection via unescaped sub-field values in dot-notation.
Enables monitoring of system and database activities to identify anomalous SQL queries indicative of exploitation attempts exploiting the PostgreSQL injection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing Parse Server directly enables remote exploitation via T1190; arbitrary SQL also facilitates direct database collection (T1213.006), stored data manipulation (T1565.001), and data destruction (T1485).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject…
more
SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.
Deeper analysisAI
CVE-2026-31840 is a SQL injection vulnerability in Parse Server, an open-source backend deployable on Node.js infrastructure. Affecting versions prior to 9.6.0-alpha.2 and 8.6.28, the flaw stems from improper escaping of sub-field values in dot-notation queries, allowing attackers to inject SQL into PostgreSQL databases. This issue arises specifically when using dot-notation field names with the sort query parameter and may also impact queries involving the distinct and where parameters. Deployments using databases other than PostgreSQL are unaffected. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Any unauthenticated attacker with network access to a vulnerable Parse Server instance can exploit this flaw remotely with low complexity and no user interaction required. By crafting a malicious request using dot-notation field names combined with the sort parameter (or potentially distinct/where), the attacker injects arbitrary SQL into PostgreSQL queries, potentially achieving high confidentiality, integrity, and availability impacts such as data exfiltration, modification, or deletion.
Parse Server advisories recommend upgrading to version 9.6.0-alpha.2 or 8.6.28, where the improper escaping issue has been fixed. Details are available in the project's security advisory (GHSA-qpr4-jrj4-6f27) and release notes for the patched versions.
Details
- CWE(s)