QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-30228

Back to search

CVE-2026-30228

Published: Mar 6, 2026

Modified: Mar 9, 2026

PUBLISHED

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3.

VendorProductVersions

parse-community

parse-server

affected
< 8.6.5
affected
< 9.5.0-alpha.3

Weaknesses (CWE)

CWE-863

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now