CVE-2026-30229
published 2026-03-06CVE-2026-30229: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the…
PriorityP347high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.39%
30.6th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.6 | 8.6.6 |
| parse-community | parse-server | < 9.5.0-alpha.4 | 9.5.0-alpha.4 |
| parse-community | parse-server | >= 0 < 8.6.6 | 8.6.6 |
| parse-community | parse-server | >= 9.0.0 < 9.5.0-alpha.4 | 9.5.0-alpha.4 |
| parseplatform | parse-server | < 8.6.6 | 8.6.6 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | 9.0.0 – 9.4.1 | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
ghsa·2026-03-06
CVE-2026-30229 [HIGH] CWE-863 parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
### Impact
The `readOnlyMasterKey` can call `POST /loginAs` to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses `readOnlyMasterKey` is affected.
### Patches
The fix adds a check to the `/logInAs` handler.
### Workarounds
There is no workaround other than not using `readOnlyMasterKey`.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-79wj-8rqv-jvp5
- Fix for Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.4
- Fix for Parse Serv
OSV
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
osv·2026-03-06
CVE-2026-30229 [HIGH] parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
### Impact
The `readOnlyMasterKey` can call `POST /loginAs` to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses `readOnlyMasterKey` is affected.
### Patches
The fix adds a check to the `/logInAs` handler.
### Workarounds
There is no workaround other than not using `readOnlyMasterKey`.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-79wj-8rqv-jvp5
- Fix for Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.4
- Fix for Parse Serv
No detection rules found.
No public exploits indexed.
2026-03-06
Published