CVE-2026-33539

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33539

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33539.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33539

Aliases

Published

2026-03-24T18:26:56.046Z

Modified

2026-04-10T05:42:50.702598Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33539.json"
}

References

Affected packages

Git / github.com/parse-community/parse-server

Affected ranges

Type

GIT

Repo

https://github.com/parse-community/parse-server

Events

Introduced

Fixed

eeabc97878a8112c5a32be1609e72ef562dde9f2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.6.59"
        }
    ]
}

Type

GIT

Repo

https://github.com/parse-community/parse-server

Events

Introduced

532a461d30a6ed4457839f2caf5f30d5abf51a55

Fixed

97bdaf5299a40ad8d4b5c5e160a592bf63070934

Database specific

{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.6.0-alpha.53"
        }
    ]
}

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.2

2.2.20

2.2.21

2.2.22

2.2.23

2.2.24

2.2.25

2.2.25-beta.1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.8.0

2.8.2

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.1.3

3.10.0

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.4.0

3.4.1

3.5.0

3.6.0

3.7.0

3.7.1

3.7.2

3.8.0

3.9.0

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.3.0

4.4.0

4.5.0

5.*

5.0.0

5.0.0-alpha.1

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.3.0

5.3.1

5.3.2

5.3.3

5.4.0

6.*

6.0.0

6.1.0

6.2.0

6.2.1

6.2.2

6.3.0

6.3.1

6.4.0

7.*

7.0.0

7.1.0

7.2.0

7.3.0

7.4.0

8.*

8.0.0

8.0.1

8.0.2

8.1.0

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.3.0

8.4.0

8.5.0

8.6.0

8.6.1

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.6.19

8.6.2

8.6.20

8.6.21

8.6.22

8.6.23

8.6.24

8.6.25

8.6.26

8.6.27

8.6.28

8.6.29

8.6.3

8.6.30

8.6.31

8.6.32

8.6.33

8.6.34

8.6.35

8.6.36

8.6.37

8.6.38

8.6.39

8.6.4

8.6.40

8.6.41

8.6.42

8.6.43

8.6.44

8.6.45

8.6.46

8.6.47

8.6.48

8.6.49

8.6.5

8.6.50

8.6.51

8.6.52

8.6.53

8.6.54

8.6.55

8.6.56

8.6.57

8.6.58

8.6.6

8.6.7

8.6.8

8.6.9

9.*

9.0.0

9.1.0

9.1.1

9.2.0

9.3.0

9.3.1

9.4.0

9.4.1

9.5.0

9.5.1

9.5.2-alpha.1

9.5.2-alpha.10

9.5.2-alpha.11

9.5.2-alpha.12

9.5.2-alpha.13

9.5.2-alpha.14

9.5.2-alpha.2

9.5.2-alpha.3

9.5.2-alpha.4

9.5.2-alpha.5

9.5.2-alpha.6

9.5.2-alpha.7

9.5.2-alpha.8

9.5.2-alpha.9

9.6.0-alpha.1

9.6.0-alpha.10

9.6.0-alpha.11

9.6.0-alpha.12

9.6.0-alpha.13

9.6.0-alpha.14

9.6.0-alpha.15

9.6.0-alpha.16

9.6.0-alpha.17

9.6.0-alpha.18

9.6.0-alpha.19

9.6.0-alpha.2

9.6.0-alpha.20

9.6.0-alpha.21

9.6.0-alpha.22

9.6.0-alpha.23

9.6.0-alpha.24

9.6.0-alpha.25

9.6.0-alpha.26

9.6.0-alpha.27

9.6.0-alpha.28

9.6.0-alpha.29

9.6.0-alpha.3

9.6.0-alpha.30

9.6.0-alpha.31

9.6.0-alpha.32

9.6.0-alpha.33

9.6.0-alpha.34

9.6.0-alpha.35

9.6.0-alpha.36

9.6.0-alpha.37

9.6.0-alpha.38

9.6.0-alpha.39

9.6.0-alpha.4

9.6.0-alpha.40

9.6.0-alpha.41

9.6.0-alpha.42

9.6.0-alpha.43

9.6.0-alpha.44

9.6.0-alpha.45

9.6.0-alpha.46

9.6.0-alpha.47

9.6.0-alpha.48

9.6.0-alpha.49

9.6.0-alpha.5

9.6.0-alpha.50

9.6.0-alpha.51

9.6.0-alpha.52

9.6.0-alpha.6

9.6.0-alpha.7

9.6.0-alpha.8

9.6.0-alpha.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33539.json"