CVE-2026-33539
Published: 24 March 2026
Summary
CVE-2026-33539 is a high-severity SQL Injection (CWE-89) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of inputs like field name parameters in Parse Server's aggregate $group and distinct operations to block SQL metacharacter injection.
Mandates timely remediation of flaws through patching affected Parse Server versions (prior to 8.6.59 and 9.6.0-alpha.53) to eliminate the SQL injection vulnerability.
Enforces least privilege to minimize users or processes with master key access required for exploitation, reducing the attack surface for privilege escalation to PostgreSQL.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing Parse Server directly enables application exploitation (T1190) and explicit privilege escalation from app-level master key to full PostgreSQL DB access (T1068).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by…
more
injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.
Deeper analysisAI
CVE-2026-33539 is a SQL injection vulnerability (CWE-89) in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. It affects Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 when using PostgreSQL as the database backend. The flaw arises from insufficient sanitization, allowing SQL metacharacters to be injected into field name parameters of the aggregate $group pipeline stage or the distinct operation, enabling arbitrary SQL statement execution on the underlying PostgreSQL database. MongoDB deployments remain unaffected.
Exploitation requires an attacker to possess master key access to Parse Server, aligning with the high privileges required (PR:H) in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). With this access, an attacker can craft requests to inject malicious SQL, resulting in privilege escalation from Parse Server application-level administrator rights to full PostgreSQL database-level access, potentially allowing data exfiltration, modification, or destruction.
The issue has been patched in Parse Server versions 8.6.59 and 9.6.0-alpha.53, as detailed in the GitHub security advisory GHSA-p2w6-rmh7-w8q3 and associated commits and pull requests (e.g., #10272, #10273). Security practitioners should prioritize upgrading affected PostgreSQL-based deployments to these versions for mitigation.
Details
- CWE(s)