Parse Server has a SQL injection via query field name when using PostgreSQL
- Severity:
- Medium
Description
An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.36 >= 9.0.0, < 9.6.0-alpha.10** Patched version(s): **8.6.36 9.6.0-alpha.10**
References
Related Issues
- Parse Server: SQL injection via dot-notation field name in PostgreSQL - CVE-2026-31840
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
- Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter - CVE-2026-33539
- Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 12, 2026