parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
GHSA-xfh7-phr7-gr2x · BIT-parse-2026-30228 · CVE-2026-30228
Published · Modified
Description
Impact
The readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey.
Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files.
Patches
The fix adds permission checks to both the file upload and file delete handlers.
Workarounds
There is no workaround other than not using readOnlyMasterKey, or restricting network access to the Files API endpoints.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phr7-gr2x
- Fix for Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.3
- Fix for Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.5
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phr7-gr2x
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-30228
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/8.6.5
- WEB https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.3
Ready to move
Start Securing
Free, no credit card | First findings in minutes