GHSA-p2w6-rmh7-w8q3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p2w6-rmh7-w8q3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p2w6-rmh7-w8q3/GHSA-p2w6-rmh7-w8q3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p2w6-rmh7-w8q3
- Aliases
-
- CVE-2026-33539
- Published
- 2026-03-24T19:12:06Z
- Modified
- 2026-03-24T19:16:39.794040Z
- Severity
-
- 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
- Details
-
Impact
An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate
$grouppipeline stage or thedistinctoperation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.
Patches
Field names in the aggregate
$group._idobject values anddistinctdot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the:rawinterpolation used in the PostgreSQL storage adapter.Workarounds
No workaround. Upgrade to a patched version.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-24T19:12:06Z", "cwe_ids": [ "CWE-89" ], "nvd_published_at": null, "severity": "HIGH" }- References
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server