CVE-2026-32878
Published: 18 March 2026
Summary
CVE-2026-32878 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-32878 by requiring timely remediation through patching to versions 9.6.0-alpha.20 or 8.6.44 that replace the vulnerable deep copy library.
Validates and sanitizes crafted requests to block prototype pollution payloads that bypass the request keyword denylist and class-level field restrictions.
Scans for vulnerable Parse Server versions prior to 9.6.0-alpha.20 and 8.6.44, enabling identification and patching of affected deployments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Parse Server via crafted web request to bypass controls and achieve integrity impact directly matches T1190 Exploit Public-Facing Application.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields…
more
by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. In 9.6.0-alpha.20 and 8.6.44, the vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword. No known workarounds are available.
Deeper analysisAI
CVE-2026-32878 is a prototype pollution vulnerability in Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 9.6.0-alpha.20 and 8.6.44, the deep copy mechanism used in request processing allows attackers to bypass the default request keyword denylist protection and class-level permissions that restrict field additions. This CWE-1321 issue enables the injection of unauthorized fields into class schemas where additions are locked down, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) due to high integrity impact.
Any unauthenticated remote attacker can exploit this by sending a crafted request that pollutes prototypes during deep copying, evading denylist checks. Successful exploitation injects fields into protected schemas, potentially causing permanent schema type conflicts that persist even when using the master key, disrupting data integrity and schema management without requiring privileges.
Parse Server addresses this in versions 9.6.0-alpha.20 and 8.6.44 by replacing the vulnerable third-party deep copy library with a built-in deep clone mechanism that safely handles prototype properties, ensuring the denylist correctly detects and rejects prohibited keywords. No known workarounds exist, as detailed in the project's security advisory (GHSA-9ccr-fpp6-78qf) and related pull requests.
Details
- CWE(s)