CVE-2026-30962

EPSS 0.3%
Veröffentlicht 10.03.2026 20:42:22
Zuletzt bearbeitet 11.03.2026 16:59:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 7 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.19

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.5.2

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.2 Updatealpha5 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.211

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X