Cyber Resilience

CVE-2026-31871

Critical

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31871 is a critical-severity SQL Injection (CWE-89) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31871 is a SQL injection vulnerability in Parse Server, an open source backend deployable on any Node.js infrastructure. It affects versions prior to 9.6.0-alpha.5 and 8.6.31, specifically in the PostgreSQL storage adapter during Increment operations on nested object fields using dot notation, such as "stats.counter." The vulnerability arises because the sub-key name is interpolated directly into SQL string literals without proper escaping, enabling injection via crafted inputs containing single quotes. Only PostgreSQL deployments are impacted.

An unauthenticated remote attacker can exploit this by sending write requests to the Parse Server REST API. By crafting a sub-key name with malicious SQL payloads in an Increment operation, the attacker can inject arbitrary SQL queries. This allows execution of database commands, data exfiltration, or manipulation, while bypassing Class-Level Permissions (CLPs) and Access Control Lists (ACLs). The CVSS v3.1 base score of 9.8 reflects its critical severity due to network accessibility, low complexity, and high impact on confidentiality, integrity, and availability.

Parse Server advisories recommend upgrading to version 9.6.0-alpha.5 or 8.6.31, where the vulnerability is fixed by properly escaping sub-key names in SQL queries. Details are available in the GitHub security advisory GHSA-gqpp-xgvh-9h7h and release notes for the patched versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object…

more

fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing Parse Server REST API (PostgreSQL adapter) directly enables remote exploitation of the application for unauthenticated DB command execution, data exfiltration and manipulation while bypassing ACLs/CLPs.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33539Same product: Parseplatform Parse-Server
CVE-2026-31856Same product: Parseplatform Parse-Server
CVE-2026-31840Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-32878Same product: Parseplatform Parse-Server
CVE-2026-34532Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server
CVE-2026-32594Same product: Parseplatform Parse-Server
CVE-2026-31800Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.6.0 · ≤ 8.6.31 · 9.0.0 — 9.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation through upgrading Parse Server to patched versions that properly escape sub-key names in SQL queries.

prevent

Prevents SQL injection by enforcing validation of user-supplied sub-key names interpolated into PostgreSQL queries during Increment operations.

prevent

Restricts sub-key names in REST API Increment requests to safe characters, blocking malicious payloads with single quotes.

References