CVE-2026-30228
published 2026-03-06CVE-2026-30228: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the…
PriorityP434medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.33%
24.7th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.5 | 8.6.5 |
| parse-community | parse-server | < 9.5.0-alpha.3 | 9.5.0-alpha.3 |
| parse-community | parse-server | >= 0 < 8.6.5 | 8.6.5 |
| parse-community | parse-server | >= 9.0.0 < 9.5.0-alpha.3 | 9.5.0-alpha.3 |
| parseplatform | parse-server | < 8.6.5 | 8.6.5 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | 9.0.0 – 9.4.1 | — |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
ghsa·2026-03-06
CVE-2026-30228 [MEDIUM] CWE-863 parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
### Impact
The `readOnlyMasterKey` can be used to create and delete files via the Files API (`POST /files/:filename`, `DELETE /files/:filename`). This bypasses the read-only restriction which violates the access scope of the `readOnlyMasterKey`.
Any Parse Server deployment that uses `readOnlyMasterKey` and exposes the Files API is affected. An attacker with access to the `readOnlyMasterKey` can upload arbitrary files or delete existing files.
### Patches
The fix adds permission checks to both the file upload and file delete handlers.
### Workarounds
There is no workaround other than not using `readOnlyMasterKey`, or restricting network access to the Files API endpoints.
### References
- GitHub
OSV
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
osv·2026-03-06
CVE-2026-30228 [MEDIUM] parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
### Impact
The `readOnlyMasterKey` can be used to create and delete files via the Files API (`POST /files/:filename`, `DELETE /files/:filename`). This bypasses the read-only restriction which violates the access scope of the `readOnlyMasterKey`.
Any Parse Server deployment that uses `readOnlyMasterKey` and exposes the Files API is affected. An attacker with access to the `readOnlyMasterKey` can upload arbitrary files or delete existing files.
### Patches
The fix adds permission checks to both the file upload and file delete handlers.
### Workarounds
There is no workaround other than not using `readOnlyMasterKey`, or restricting network access to the Files API endpoints.
### References
- GitHub
No detection rules found.
No public exploits indexed.
2026-03-06
Published