CVE-2026-30229: CVE-2026-30229: Privilege Escalation via Read-Only Master Key in Parse Server

CVE-2026-30229: Privilege Escalation via Read-Only Master Key in Parse Server

Vulnerability ID: CVE-2026-30229
CVSS Score: 8.5
Published: 2026-03-06

A high-severity authorization bypass vulnerability exists in Parse Server's /loginAs endpoint. This administrative endpoint, designed to allow user impersonation, failed to strictly enforce scope restrictions on the provided master key. Consequently, an attacker possessing a readOnlyMasterKey—intended solely for data inspection—can successfully request a session token for any user, including full administrators. This results in a vertical privilege escalation from read-only access to full read/write capabilities across the entire application.

TL;DR

Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 contain a privilege escalation flaw. The /loginAs endpoint improperly accepts the readOnlyMasterKey for authentication, allowing restricted administrators to generate full session tokens for any user. This bypasses the intended read-only constraints of the key.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-863
• CVSS v4.0: 8.5 (High)
• Attack Vector: Network
• Privileges Required: High (ReadOnly Master Key)
• Impact: Privilege Escalation
• KEV Status: Not Listed

Affected Systems

• Parse Server
• Parse Server: < 8.6.6 (Fixed in: 8.6.6)
• Parse Server: < 9.5.0-alpha.4 (Fixed in: 9.5.0-alpha.4)

Code Analysis

Commit: 0c940b7

Fix: throw when trying to loginAs with readOnlyMasterKey

diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
index 3828e465e7..9abc71c4ce 100644
--- a/src/Routers/UsersRouter.js
+++ b/src/Routers/UsersRouter.js
@@ -341,6 +341,13 @@ export class UsersRouter extends ClassesRouter {
         req.config
       );
     }
+    if (req.auth.isReadOnly) {
+      throw createSanitizedError(
+        Parse.Error.OPERATION_FORBIDDEN,
+        "read-only masterKey isn't allowed to login as another user.",
+        req.config
+      );
+    }

     const userId = req.body?.userId || req.query.userId;
     if (!userId) {

Commit: bc20945

Fix: throw when trying to loginAs with readOnlyMasterKey (v9 branch)

Unavailable in context

Exploit Details

• GitHub: Jest test case added to spec/rest.spec.js demonstrating the attack vector.

Mitigation Strategies

• Upgrade Parse Server to a fixed version.
• Disable the readOnlyMasterKey in the server configuration if not strictly necessary.
• Implement network-level access controls to restrict access to the /loginAs endpoint.

Remediation Steps:

1. Identify the current running version of Parse Server.
2. If running version < 8.6.6, schedule an upgrade to 8.6.6.
3. If running version < 9.5.0-alpha.4 (and > 9.0.0), schedule an upgrade to 9.5.0-alpha.4.
4. After upgrading, verify functionality using a non-privileged user account.
5. Consider rotating the readOnlyMasterKey if it may have been exposed to untrusted parties.

References

• GHSA-79wj-8rqv-jvp5: Privilege Escalation in Parse Server
• CWE-863: Incorrect Authorization

---

Read the full report for CVE-2026-30229 on our website for more details including interactive diagrams and full exploit analysis.