Cyber Resilience

CVE-2026-31872

High

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31872 is a high-severity Improper Access Control (CWE-284) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31872 is a vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed by using dot-notation in query WHERE clauses and sort parameters. This enables attackers to query or sort by sub-fields within a protected field, facilitating a binary oracle attack to enumerate protected field values. The flaw affects deployments using both MongoDB and PostgreSQL.

Unauthenticated attackers with network access can exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By crafting queries with dot-notation on sub-fields, they can leak sensitive data from protected fields through repeated oracle-style comparisons, achieving high confidentiality impact without compromising integrity or availability. This is classified under CWE-284 (Improper Access Control).

Mitigation is available via upgrades to Parse Server 9.6.0-alpha.6 or 8.6.32, which address the bypass. Official details are provided in the project's security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g and release notes at https://github.com/parse-community/parse-server/releases/tag/8.6.32 and https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters.…

more

An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing Parse Server (T1190) via crafted queries that bypass CLP, directly facilitating unauthorized retrieval of sensitive data from the backend information repository/database (T1213).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30966Same product: Parseplatform Parse-Server
CVE-2026-34532Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-32594Same product: Parseplatform Parse-Server
CVE-2026-31800Same product: Parseplatform Parse-Server
CVE-2026-32878Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.6.0 · ≤ 8.6.32 · 9.0.0 — 9.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through upgrading Parse Server to patched versions 9.6.0-alpha.6 or 8.6.32 directly eliminates the protectedFields CLP bypass vulnerability.

prevent

Enforcing approved authorizations prevents bypass of class-level permissions on protected fields via dot-notation in queries and sorts.

prevent

Validating query inputs for dot-notation and malformed sub-field references mitigates the binary oracle attack enabling enumeration of protected data.

References