CVE-2026-31871
Published: 11 March 2026
Summary
CVE-2026-31871 is a critical-severity SQL Injection (CWE-89) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation through upgrading Parse Server to patched versions that properly escape sub-key names in SQL queries.
Prevents SQL injection by enforcing validation of user-supplied sub-key names interpolated into PostgreSQL queries during Increment operations.
Restricts sub-key names in REST API Increment requests to safe characters, blocking malicious payloads with single quotes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing Parse Server REST API (PostgreSQL adapter) directly enables remote exploitation of the application for unauthenticated DB command execution, data exfiltration and manipulation while bypassing ACLs/CLPs.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object…
more
fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.
Deeper analysisAI
CVE-2026-31871 is a SQL injection vulnerability in Parse Server, an open source backend deployable on any Node.js infrastructure. It affects versions prior to 9.6.0-alpha.5 and 8.6.31, specifically in the PostgreSQL storage adapter during Increment operations on nested object fields using dot notation, such as "stats.counter." The vulnerability arises because the sub-key name is interpolated directly into SQL string literals without proper escaping, enabling injection via crafted inputs containing single quotes. Only PostgreSQL deployments are impacted.
An unauthenticated remote attacker can exploit this by sending write requests to the Parse Server REST API. By crafting a sub-key name with malicious SQL payloads in an Increment operation, the attacker can inject arbitrary SQL queries. This allows execution of database commands, data exfiltration, or manipulation, while bypassing Class-Level Permissions (CLPs) and Access Control Lists (ACLs). The CVSS v3.1 base score of 9.8 reflects its critical severity due to network accessibility, low complexity, and high impact on confidentiality, integrity, and availability.
Parse Server advisories recommend upgrading to version 9.6.0-alpha.5 or 8.6.31, where the vulnerability is fixed by properly escaping sub-key names in SQL queries. Details are available in the GitHub security advisory GHSA-gqpp-xgvh-9h7h and release notes for the patched versions.
Details
- CWE(s)