Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Severity:: Medium

Description

The file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata.

This affects any deployment that relies on Parse.Cloud.beforeFind(Parse.File, ...) to restrict file access.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): **>= 9.0.0-alpha.1, < 9.5.0-alpha.9 < 8.6.9**
Patched version(s): **9.5.0-alpha.9 8.6.9**

References

GHSA-hwx8-q9cg-mqmc
CVE-2026-30850
CWE-862
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Parse Server's GraphQL WebSocket endpoint bypasses security middleware - CVE-2026-32594
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction - CVE-2026-30228
Parse Server vulnerable to user enumeration via email verification endpoint - CVE-2026-31901
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on March 09, 2026