Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
GHSA-p2w6-rmh7-w8q3 · BIT-parse-2026-33539 · CVE-2026-33539
Published · Modified
Description
Impact
An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.
Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.
Patches
Field names in the aggregate $group._id object values and distinct dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the :raw interpolation used in the PostgreSQL storage adapter.
Workarounds
No workaround. Upgrade to a patched version.
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33539
- WEB https://github.com/parse-community/parse-server/pull/10272
- WEB https://github.com/parse-community/parse-server/pull/10273
- WEB https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c
- WEB https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e
- PACKAGE https://github.com/parse-community/parse-server
Ready to move
Start Securing
Free, no credit card | First findings in minutes