CVE-2026-30966 - Vulnerability Analysis

Overview

Parse Server < 9.5.2-alpha.7 and < 8.6.20 contains a broken access control vulnerability caused by direct access to internal Relation field tables via REST or GraphQL API using only the application key, letting attackers modify role memberships and bypass role-based permissions, exploit requires only application key access.

Severity & Score

Impact

Attackers can gain full permissions by injecting themselves into roles, allowing full read, write, and delete access to protected data.

Mitigation

Upgrade to version 9.5.2-alpha.7 or 8.6.20 or later.

References

• https://github.com/parse-community/parse-server/releases/tag/8.6.20
• https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7
• https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 11, 2026

🚨 CRITICAL: CVE-2026-30966 in parse-server (<9.5.2-alpha.7, <8.6.20) lets attackers gain any role via REST/GraphQL with just the app key. Upgrade now and restrict API access! Full details: https://radar.offseq.com/threat/cve-2026-30966-cwe-284-improper-access-control-in--321de92a #OffSeq #parseServer #CVE202630966 #infosec

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner