Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

GHSA-hwx8-q9cg-mqmc · BIT-parse-2026-30850 · CVE-2026-30850

Published Mar 9, 2026 · Modified Mar 16, 2026

Description

Impact

The file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata.

This affects any deployment that relies on Parse.Cloud.beforeFind(Parse.File, ...) to restrict file access. Only file metadata (user-defined key-value pairs set via addMetadata) is exposed; file content remains protected.

Patches

The metadata handler now runs beforeFind and afterFind triggers and returns HTTP 403 when a trigger denies access.

Workarounds

Disable the metadata endpoint by overriding the route with a middleware that rejects all requests:

// Add before mounting Parse Server
app.get('/parse/files/:appId/metadata/:filename', (req, res) => {
  res.status(403).json({ error: 'Forbidden' });
});

Adjust the path prefix (/parse) to match your mountPath.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc
Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.9
Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.9

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes