Cyber Resilience

CVE-2026-32878

Medium

Published: 18 March 2026

Published
18 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 3.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32878 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-32878 is a prototype pollution vulnerability in Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 9.6.0-alpha.20 and 8.6.44, the deep copy mechanism used in request processing allows attackers to bypass the default request keyword denylist protection and class-level permissions that restrict field additions. This CWE-1321 issue enables the injection of unauthorized fields into class schemas where additions are locked down, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) due to high integrity impact.

Any unauthenticated remote attacker can exploit this by sending a crafted request that pollutes prototypes during deep copying, evading denylist checks. Successful exploitation injects fields into protected schemas, potentially causing permanent schema type conflicts that persist even when using the master key, disrupting data integrity and schema management without requiring privileges.

Parse Server addresses this in versions 9.6.0-alpha.20 and 8.6.44 by replacing the vulnerable third-party deep copy library with a built-in deep clone mechanism that safely handles prototype properties, ensuring the denylist correctly detects and rejects prohibited keywords. No known workarounds exist, as detailed in the project's security advisory (GHSA-9ccr-fpp6-78qf) and related pull requests.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields…

more

by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. In 9.6.0-alpha.20 and 8.6.44, the vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated exploitation of public-facing Parse Server via crafted web request to bypass controls and achieve integrity impact directly matches T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30939Same product: Parseplatform Parse-Server
CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-32886Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-32594Same product: Parseplatform Parse-Server
CVE-2026-31800Same product: Parseplatform Parse-Server
CVE-2026-34532Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.6.0 · ≤ 8.6.44 · 9.0.0 — 9.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-32878 by requiring timely remediation through patching to versions 9.6.0-alpha.20 or 8.6.44 that replace the vulnerable deep copy library.

prevent

Validates and sanitizes crafted requests to block prototype pollution payloads that bypass the request keyword denylist and class-level field restrictions.

detect

Scans for vulnerable Parse Server versions prior to 9.6.0-alpha.20 and 8.6.44, enabling identification and patching of affected deployments.

References