Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
GHSA-vc89-5g3r-cmhh · BIT-parse-2026-29182 · CVE-2026-29182
Published · Modified
Description
Impact
Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration.
Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability.
Patches
The fix adds authorization checks, rejecting mutating requests made with the readOnlyMasterKey.
Workarounds
There is no known workaround other than upgrading. If upgrading is not immediately possible, ensure the readOnlyMasterKey value is not shared with untrusted parties.
Resources
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh
- Fixed in Parse Server 9.4.1-alpha.3: https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3
- Fixed in Parse Server 8.6.4: https://github.com/parse-community/parse-server/releases/tag/8.6.4
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-29182
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/8.6.4
- WEB https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3
Ready to move
Start Securing
Free, no credit card | First findings in minutes