Parse Server has role escalation and CLP bypass via direct `_Join` table write

Severity:: High

Description

Parse Server’s internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required.

An attacker can create, read, update, or delete records in any internal relationship table.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): **< 8.6.20 >= 9.0.0-alpha.1, < 9.5.2-alpha.7**
Patched version(s): **8.6.20 9.5.2-alpha.7**

References

GHSA-5f92-jrq3-28rc
CVE-2026-30966
CWE-284
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Parse Server has a protected fields bypass via logical query operators - CVE-2026-30962
Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on March 11, 2026