DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30228: CVE-2026-30228: Authorization Bypass in Parse Server Files API via readOnlyMasterKey

#security #cve #cybersecurity

CVE-2026-30228: Authorization Bypass in Parse Server Files API via readOnlyMasterKey

Vulnerability ID: CVE-2026-30228
CVSS Score: 6.9
Published: 2026-03-06

A high-severity authorization bypass exists in Parse Server's Files API, enabling holders of the readOnlyMasterKey to perform unauthorized write operations. While this key is architecturally intended to restrict access to read-only database queries, a logic flaw in the FilesRouter component permits it to bypass checks for file creation and deletion. This allows restricted administrators or compromised services possessing the read-only key to upload arbitrary files or delete existing assets, violating the integrity and availability of the application's file storage.

TL;DR

The readOnlyMasterKey in Parse Server, designed for read-only access, can be used to upload or delete files via the Files API due to missing authorization checks. Patched in versions 8.6.5 and 9.5.0-alpha.3.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-30228
  • CVSS v4.0: 6.9 (Medium)
  • CWE: CWE-863 (Incorrect Authorization)
  • Attack Vector: Network
  • Privileges Required: High (readOnlyMasterKey)
  • Exploit Status: PoC Available

Affected Systems

  • Parse Server
  • parse-server: < 8.6.5 (Fixed in: 8.6.5)
  • parse-server: >= 9.0.0, < 9.5.0-alpha.3 (Fixed in: 9.5.0-alpha.3)

Code Analysis

Commit: 07bddc0

Fix for readOnlyMasterKey bypass in FilesRouter (v8)

Commit: 036365a

Fix for readOnlyMasterKey bypass in FilesRouter (v9)

Exploit Details

  • GitHub: Regression test case included in the fix commit demonstrating the bypass

Mitigation Strategies

  • Upgrade Parse Server to a patched version immediately.
  • Rotate the readOnlyMasterKey if exposure is suspected or if the key was shared with untrusted parties.
  • Restrict access to /files endpoints at the network level (e.g., via WAF or reverse proxy) if upgrading is delayed.

Remediation Steps:

  1. Identify the current version of parse-server in package.json.
  2. For users on v8.x, update to version 8.6.5 or later: npm install parse-server@8.6.5.
  3. For users on v9.x (alpha), update to 9.5.0-alpha.3 or later.
  4. Verify the fix by attempting a file creation request using the readOnlyMasterKey in a staging environment; the server should now return HTTP 403.

References

Read the full report for CVE-2026-30228 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)