Cyber Resilience

CVE-2026-33539

High

Published: 24 March 2026

Published
24 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33539 is a high-severity SQL Injection (CWE-89) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33539 is a SQL injection vulnerability (CWE-89) in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. It affects Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 when using PostgreSQL as the database backend. The flaw arises from insufficient sanitization, allowing SQL metacharacters to be injected into field name parameters of the aggregate $group pipeline stage or the distinct operation, enabling arbitrary SQL statement execution on the underlying PostgreSQL database. MongoDB deployments remain unaffected.

Exploitation requires an attacker to possess master key access to Parse Server, aligning with the high privileges required (PR:H) in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). With this access, an attacker can craft requests to inject malicious SQL, resulting in privilege escalation from Parse Server application-level administrator rights to full PostgreSQL database-level access, potentially allowing data exfiltration, modification, or destruction.

The issue has been patched in Parse Server versions 8.6.59 and 9.6.0-alpha.53, as detailed in the GitHub security advisory GHSA-p2w6-rmh7-w8q3 and associated commits and pull requests (e.g., #10272, #10273). Security practitioners should prioritize upgrading affected PostgreSQL-based deployments to these versions for mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by…

more

injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing Parse Server directly enables application exploitation (T1190) and explicit privilege escalation from app-level master key to full PostgreSQL DB access (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-31856Same product: Parseplatform Parse-Server
CVE-2026-31840Same product: Parseplatform Parse-Server
CVE-2026-29182Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-32878Same product: Parseplatform Parse-Server
CVE-2026-34532Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server
CVE-2026-32594Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.6.0 · ≤ 8.6.59 · 9.0.0 — 9.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of inputs like field name parameters in Parse Server's aggregate $group and distinct operations to block SQL metacharacter injection.

prevent

Mandates timely remediation of flaws through patching affected Parse Server versions (prior to 8.6.59 and 9.6.0-alpha.53) to eliminate the SQL injection vulnerability.

prevent

Enforces least privilege to minimize users or processes with master key access required for exploitation, reducing the attack surface for privilege escalation to PostgreSQL.

References