Node.js RCE (CVE-2026-30966)

Overview

A critical security vulnerability has been identified in Parse Server, an open-source backend framework. This flaw allows any user with a standard application key to directly manipulate the server’s internal relationship tables, leading to a complete bypass of role-based access controls.

Vulnerability Details

In affected versions, the internal tables that manage relationships-such as which users belong to which roles-were incorrectly exposed through the public REST and GraphQL APIs. Crucially, exploitation does not require the privileged master key; only the general application key is needed. An attacker can perform create, read, update, and delete (CRUD) operations on these tables.

The core issue is an access control failure. By modifying these tables, an attacker can add themselves to any existing Parse Role. Roles are central to Parse Server’s security model, as Class-Level Permissions (CLPs) often restrict data access based on them.

Impact

The impact of this vulnerability is severe. A successful attacker gains all permissions associated with the compromised role. This typically results in:

• Full data compromise: Read, modify, and delete all data in database classes protected by role-based CLPs.
• Privilege escalation: An ordinary user can elevate themselves to an administrative or highly privileged role.
• Bypassed security policies: Pointer-based CLPs that rely on Relation fields are also circumvented.

This flaw provides a direct path to a full application breach, potentially exposing sensitive user data and allowing widespread data destruction. For context on the risks of such breaches, recent incidents are detailed in our breach reports.

Remediation and Mitigation

Immediate action is required to secure affected deployments.

Primary Fix: Patch Immediately The vulnerability is fixed in Parse Server versions 9.5.2-alpha.7 and 8.6.20. All users must upgrade to one of these patched versions immediately. Review the official Parse Server release notes for upgrade instructions.

Temporary Mitigation (If Patching is Delayed) If immediate patching is not possible, consider the following temporary measures while you schedule the upgrade:

• Audit Logs: Closely monitor API access logs for unexpected queries or mutations targeting internal tables (e.g., _Join:roles:_User).
• Network Controls: Restrict direct access to your Parse Server API endpoints where feasible.

Staying informed on such critical updates is a key part of infrastructure management. For the latest on vulnerabilities and patches, follow our security news section.

Important Note: There is no workaround that fully mitigates this vulnerability without applying the official patch. Upgrading is the only complete solution.