Main Vulnerability Database Vulnerabilities #VU124970

#VU124970 Incorrect authorization in Parse Server - CVE-2026-30229

Published: April 6, 2026

Vulnerability identifier: #VU124970

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-30229

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote user to obtain full read and write access as any user.

The vulnerability exists due to incorrect authorization in the /loginAs endpoint when handling POST /loginAs requests with readOnlyMasterKey credentials. A remote privileged user can send a crafted request to obtain a valid session token for any user to obtain full read and write access as any user.

Only deployments that use readOnlyMasterKey are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-79wj-8rqv-jvp5

#VU124970 Incorrect authorization in Parse Server - CVE-2026-30229

Description

Remediation

External links

Please verify you're human