CVE-2026-32728 in parse-server
Summary
by MITRE • 03/19/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application's domain. In addition, certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist. This can lead to stored XSS attacks, compromising session tokens, user credentials, or other sensitive data accessible via the browser's local storage. The fix in versions 9.6.0-alpha.15 and 8.6.41 strips MIME parameters from the `Content-Type` header before validating the file extension against the blocklist. The default blocklist has also been extended to include additional XML-based extensions (`xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`) that can render active content in web browsers. Note that the `fileUpload.fileExtensions` option is intended to be configured as an allowlist of file extensions that are valid for a specific application, not as a denylist. The default denylist is provided only as a basic default that covers most common problematic extensions. It is not intended to be an exhaustive list of all potentially dangerous extensions. Developers should not rely on the default value, as new extensions that can render active content in browsers might emerge in the future. As a workaround, configure the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-32728 affects Parse Server, a popular open-source backend framework designed for Node.js environments. This security flaw exists in versions prior to 9.6.0-alpha.15 and 8.6.41, creating a significant risk for applications that permit file uploads. The core issue stems from improper handling of MIME parameters within the Content-Type header during file extension validation processes, which allows malicious actors to circumvent security measures designed to block potentially dangerous file types.
The technical exploitation occurs when an attacker appends MIME parameters such as ";charset=utf-8" to the Content-Type header of uploaded files. This manipulation causes the file extension validation logic to fail in matching against the configured blocklist, enabling active content to be stored on the server and subsequently served under the application's domain. The vulnerability specifically targets the extension validation mechanism, which should prevent execution of malicious scripts but instead allows bypass through parameter manipulation. This behavior aligns with CWE-444, which describes improper handling of HTTP requests, and represents a classic case of input validation bypass that can lead to remote code execution or cross-site scripting attacks.
The operational impact of this vulnerability extends beyond simple file upload restrictions, as it creates conditions for stored cross-site scripting attacks that can compromise user sessions and credentials. When certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist, attackers can leverage these extensions to execute malicious code within users' browsers. This creates a pathway for session token theft, credential harvesting, and access to sensitive data stored in browser local storage. The vulnerability particularly affects applications where users can upload files, as the malicious content becomes persistent and can affect multiple users over time. The attack vector follows ATT&CK technique T1190, which involves exploiting vulnerabilities in web applications to establish persistent access through malicious file uploads.
The fix implemented in versions 9.6.0-alpha.15 and 8.6.41 addresses the root cause by stripping MIME parameters from the Content-Type header before performing file extension validation against the blocklist. This approach ensures that the validation process operates on clean MIME types without extraneous parameters that could interfere with matching. Additionally, the default blocklist has been expanded to include XML-based extensions such as xsd, rng, rdf, rdf+xml, owl, mathml, and mathml+xml that can render active content in web browsers. This enhancement demonstrates the importance of maintaining comprehensive security lists and the need for continuous updates to address emerging threats. The security patch specifically addresses CWE-707, which covers improper use of potentially dangerous APIs, by ensuring that MIME type parsing properly handles parameterized content.
Security practitioners should understand that while the default denylist provides basic protection, it is not exhaustive and should not be considered sufficient for production environments. The vulnerability highlights the fundamental principle that default security configurations should never be relied upon exclusively, as new dangerous file extensions may emerge that are not yet included in security lists. Organizations should implement the recommended workaround by configuring the fileUpload.fileExtensions option to use an allowlist of only the file extensions that their specific applications require. This approach aligns with the principle of least privilege and reduces the attack surface by explicitly defining which file types are acceptable rather than relying on a potentially incomplete blocklist. The vulnerability also underscores the importance of proper input sanitization and validation, as outlined in OWASP Top Ten categories A01:2021 and A03:2021, which emphasize the need for robust validation of all user inputs, including file uploads.