UNKNOWN npm
Parse Server has a protected fields bypass via dot-notation in query and sort
GHSA-r2m8-pxm9-9c4g · BIT-parse-2026-31872 · CVE-2026-31872
Published · Modified
Description
Impact
The protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values.
This affects both MongoDB and PostgreSQL deployments.
Patches
The fix ensures that query WHERE clause keys and sort keys are checked against protected fields by extracting the root field from dot-notation paths. For example, a query on secretObj.apiKey is now correctly blocked when secretObj is a protected field.
Workarounds
None.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.32
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-31872
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/8.6.32
- WEB https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6
Ready to move
Start Securing
Free, no credit card | First findings in minutes