CVE-2026-29182 (GCVE-0-2026-29182)
Vulnerability from cvelistv5 – Published: 2026-03-06 20:24 – Updated: 2026-03-09 20:34
VLAI?
Title
Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
< 8.6.4
Affected: < 9.4.1-alpha.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:29:41.548934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:34:21.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.4"
},
{
"status": "affected",
"version": "\u003c 9.4.1-alpha.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server\u0027s readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T20:24:10.802Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.4"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3"
}
],
"source": {
"advisory": "GHSA-vc89-5g3r-cmhh",
"discovery": "UNKNOWN"
},
"title": "Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29182",
"datePublished": "2026-03-06T20:24:10.802Z",
"dateReserved": "2026-03-04T14:44:00.713Z",
"dateUpdated": "2026-03-09T20:34:21.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-29182\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T21:16:15.137\",\"lastModified\":\"2026-03-10T19:53:34.383\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server\u0027s readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.\"},{\"lang\":\"es\",\"value\":\"Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.4 y 9.4.1-alpha.3, la opci\u00f3n readOnlyMasterKey de Parse Server permite el acceso con privilegios de lectura a nivel maestro, pero est\u00e1 documentada para denegar todas las operaciones de escritura. Sin embargo, algunos endpoints aceptan incorrectamente la readOnlyMasterKey para operaciones de mutaci\u00f3n. Esto permite a un llamador que solo posee la readOnlyMasterKey crear, modificar y eliminar Cloud Hooks e iniciar Cloud Jobs, lo que puede ser utilizado para la exfiltraci\u00f3n de datos. Cualquier despliegue de Parse Server que utilice la opci\u00f3n readOnlyMasterKey se ve afectado. Tenga en cuenta que un atacante necesita conocer la readOnlyMasterKey para explotar esta vulnerabilidad. Este problema ha sido parcheado en las versiones 8.6.4 y 9.4.1-alpha.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"8.6.4\",\"matchCriteriaId\":\"41A471BF-7EE9-4E57-B9F6-1BDB37D27275\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndIncluding\":\"9.4.0\",\"matchCriteriaId\":\"9FF0ADC7-6AA6-44F7-8CA9-E0A2F1C1D63A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.4.1:alpha1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"CC1C695A-70C0-45C8-867F-4541537F370B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.4.1:alpha2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"2B1E392B-A41C-460C-8811-AA0473393870\"}]}]}],\"references\":[{\"url\":\"https://github.com/parse-community/parse-server/releases/tag/8.6.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Patch\"]},{\"url\":\"https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Patch\"]},{\"url\":\"https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29182\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T20:29:41.548934Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T20:29:52.688Z\"}}], \"cna\": {\"title\": \"Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction\", \"source\": {\"advisory\": \"GHSA-vc89-5g3r-cmhh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"parse-community\", \"product\": \"parse-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 8.6.4\"}, {\"status\": \"affected\", \"version\": \"\u003c 9.4.1-alpha.3\"}]}], \"references\": [{\"url\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh\", \"name\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/8.6.4\", \"name\": \"https://github.com/parse-community/parse-server/releases/tag/8.6.4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3\", \"name\": \"https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server\u0027s readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T20:24:10.802Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-29182\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T20:34:21.169Z\", \"dateReserved\": \"2026-03-04T14:44:00.713Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T20:24:10.802Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…