#VU124971 Information Exposure Through an Error Message in Parse Server - CVE-2026-30835
Published: April 6, 2026
Vulnerability identifier: #VU124971
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-30835
CWE-ID: CWE-209
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Parse Server
Parse Server
Software vendor:
Parse Community
Parse Community
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to generation of error messages containing sensitive information in the query execution layer when processing malformed $regex query parameters. A remote attacker can send a specially crafted query request to disclose sensitive information.
The issue leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details.
Remediation
Install security update from vendor's website.