Main Vulnerability Database Vulnerabilities #VU124980

#VU124980 Protection Mechanism Failure in Parse Server - CVE-2026-30938

Published: April 6, 2026

Vulnerability identifier: #VU124980

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-30938

CWE-ID: CWE-693

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to bypass a keyword denylist protection.

The vulnerability exists due to protection mechanism failure in the requestKeywordDenylist keyword scanner when processing request payloads containing a nested object or array before a prohibited keyword. A remote attacker can send a specially crafted request payload to bypass a keyword denylist protection.

The requestKeywordDenylist security control is enabled by default, and custom denylist entries configured by the developer are affected as well.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp

#VU124980 Protection Mechanism Failure in Parse Server - CVE-2026-30938

Description

Remediation

External links

Please verify you're human