Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
- Severity:
- Medium
Description
The file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata.
This affects any deployment that relies on Parse.Cloud.beforeFind(Parse.File, ...) to restrict file access.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0-alpha.1, < 9.5.0-alpha.9 < 8.6.9** Patched version(s): **9.5.0-alpha.9 8.6.9**
References
Related Issues
- Parser Server's streaming file download bypasses afterFind file trigger authorization - CVE-2026-34784
- parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction - CVE-2026-30228
- Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` - CVE-2026-39381
- Parse Server's GraphQL WebSocket endpoint bypasses security middleware - CVE-2026-32594
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 09, 2026