Primary

Context

Parse Server Class-Level Permission Bypass Vulnerability Allowing Protected Field Enumeration

Vulnerability

Patched

A vulnerability in Parse Server prior to versions 9.6.0-alpha.6 and 8.6.32 allows for bypassing the protectedFields class-level permission. This is achieved through dot-notation in query WHERE clauses and sort parameters, enabling a binary oracle attack to enumerate protected field values. The issue affects both MongoDB and PostgreSQL deployments.

Impact

Exploitation of this vulnerability allows attackers to bypass class-level permissions on protected fields, enabling them to query or sort by sub-fields of these protected fields. This could lead to unauthorized access to sensitive data.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.6 or 8.6.32 to address this vulnerability.

Added: Mar 11, 2026, 6:18 PM

Updated: Mar 11, 2026, 6:18 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.3

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.3

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server Class-Level Permission Bypass Vulnerability Allowing Protected Field Enumeration

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating