CVE-2026-31872
Published: 11 March 2026
Summary
CVE-2026-31872 is a high-severity Improper Access Control (CWE-284) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31872 is a vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed by using dot-notation in query WHERE clauses and sort parameters. This enables attackers to query or sort by sub-fields within a protected field, facilitating a binary oracle attack to enumerate protected field values. The flaw affects deployments using both MongoDB and PostgreSQL.
Unauthenticated attackers with network access can exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By crafting queries with dot-notation on sub-fields, they can leak sensitive data from protected fields through repeated oracle-style comparisons, achieving high confidentiality impact without compromising integrity or availability. This is classified under CWE-284 (Improper Access Control).
Mitigation is available via upgrades to Parse Server 9.6.0-alpha.6 or 8.6.32, which address the bypass. Official details are provided in the project's security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g and release notes at https://github.com/parse-community/parse-server/releases/tag/8.6.32 and https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11279
Vulnerability details
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters.…
more
An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of a public-facing Parse Server (T1190) via crafted queries that bypass CLP, directly facilitating unauthorized retrieval of sensitive data from the backend information repository/database (T1213).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through upgrading Parse Server to patched versions 9.6.0-alpha.6 or 8.6.32 directly eliminates the protectedFields CLP bypass vulnerability.
Enforcing approved authorizations prevents bypass of class-level permissions on protected fields via dot-notation in queries and sorts.
Validating query inputs for dot-notation and malformed sub-field references mitigates the binary oracle attack enabling enumeration of protected data.