Parse Server
Easy fix4 remedies
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:*:*
Easy fix4 remedies
- >= 9.0.0, < 9.5.0-alpha.3
- < 8.6.5
Parse Server File API Access Control Bypass Vulnerability
Vulnerability
Patched
A vulnerability exists in Parse Server versions prior to 8.6.5 and 9.5.0-alpha.3, allowing the readOnlyMasterKey to bypass restrictions and manipulate files through the Files API. This issue affects any deployment that uses the readOnlyMasterKey and exposes the Files API. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing ones, violating the intended access controls.
Impact
Exploitation of this vulnerability allows for unauthorized file creation and deletion via the Files API, bypassing the readOnlyMasterKey's intended restrictions. This could lead to arbitrary file uploads or the removal of critical files from the server.
Remediation
Users can upgrade to Parse Server versions 8.6.5 or 9.5.0-alpha.3, both of which include the necessary patch. Instructions for downloading these versions are available on the Parse Server GitHub releases page.
Added: Mar 6, 2026, 9:21 PM
Updated: Mar 6, 2026, 9:21 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
2.5exploitability
4.8remediation
7.9relevance
3.5threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.