CVE-2026-31872
Published: 11 March 2026
Summary
CVE-2026-31872 is a high-severity Improper Access Control (CWE-284) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Requiring prior authorization for each remote access type prevents improper access control over remote connections.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of a public-facing Parse Server (T1190) via crafted queries that bypass CLP, directly facilitating unauthorized retrieval of sensitive data from the backend information repository/database (T1213).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters.…
more
An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.
Deeper analysisAI
CVE-2026-31872 is a vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed by using dot-notation in query WHERE clauses and sort parameters. This enables attackers to query or sort by sub-fields within a protected field, facilitating a binary oracle attack to enumerate protected field values. The flaw affects deployments using both MongoDB and PostgreSQL.
Unauthenticated attackers with network access can exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By crafting queries with dot-notation on sub-fields, they can leak sensitive data from protected fields through repeated oracle-style comparisons, achieving high confidentiality impact without compromising integrity or availability. This is classified under CWE-284 (Improper Access Control).
Mitigation is available via upgrades to Parse Server 9.6.0-alpha.6 or 8.6.32, which address the bypass. Official details are provided in the project's security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g and release notes at https://github.com/parse-community/parse-server/releases/tag/8.6.32 and https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6.
Details
- CWE(s)