DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30850: CVE-2026-30850: Missing Authorization in Parse Server File Metadata Endpoint

#security #cve #cybersecurity

CVE-2026-30850: Missing Authorization in Parse Server File Metadata Endpoint

Vulnerability ID: CVE-2026-30850
CVSS Score: 6.3
Published: 2026-03-09

Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 contain a missing authorization vulnerability (CWE-862) in the file metadata retrieval endpoint. The application fails to invoke developer-defined beforeFind and afterFind security triggers when processing requests for file metadata. This flaw allows attackers to bypass access controls and extract sensitive file metadata, provided they know the target filename.

TL;DR

An authorization bypass in Parse Server's metadata endpoint allows unauthorized access to file metadata by skipping security triggers. Upgrading to version 8.6.9 or 9.5.0-alpha.9 resolves the issue.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Attack Vector: Network
  • CVSS 4.0 Score: 6.3 (Medium)
  • EPSS Score: 0.00049 (14.84%)
  • Impact: Unauthorized Metadata Exposure
  • Exploit Status: PoC Available
  • CISA KEV: Not Listed

Affected Systems

  • Parse Server (Node.js backend)
  • parse-server: < 8.6.9 (Fixed in: 8.6.9)
  • parse-server: 9.0.0-alpha.1 to < 9.5.0-alpha.9 (Fixed in: 9.5.0-alpha.9)

Code Analysis

Commit: 10106

Fix for file metadata trigger bypass in FilesRouter

const file = new Parse.File(filename, { base64: '' }); await triggers.maybeRunFileTrigger(triggers.Types.beforeFind, { file }, config, req.auth); const data = await filesController.getMetadata(filename); await triggers.maybeRunFileTrigger(triggers.Types.afterFind, { file }, config, req.auth);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Parse Server to version 8.6.9 or 9.5.0-alpha.9
  • Implement Express middleware to block GET requests to the metadata endpoint

Remediation Steps:

  1. Identify the current version of Parse Server running in the environment.
  2. Update the parse-server package via npm/yarn to version 8.6.9 or higher.
  3. If upgrading is not possible, add a blocking middleware for /parse/files/:appId/metadata/:filename returning a 403 status.
  4. Verify that file uploads, downloads, and other standard file operations continue to function normally.
  5. Run the application test suite to ensure custom file triggers execute correctly.

References

Read the full report for CVE-2026-30850 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)