CVE-2026-32878 in parse-server
Summary
by MITRE • 03/19/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. In 9.6.0-alpha.20 and 8.6.44, the vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword. No known workarounds are available.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-32878 affects Parse Server, a popular open-source backend solution designed for deployment on Node.js infrastructure. This security flaw resides within the deep copy mechanism used by the platform's data processing functions, specifically targeting how the system handles prototype properties during object cloning operations. The vulnerability impacts versions prior to 9.6.0-alpha.20 and 8.6.44, creating a critical prototype pollution condition that undermines the platform's security controls. The issue stems from the use of a vulnerable third-party deep copy library that fails to properly sanitize prototype properties during cloning operations, allowing malicious actors to exploit this weakness to bypass established security measures.
The technical exploitation of this vulnerability occurs through crafted requests that manipulate the deep copy mechanism to inject prototype properties into class schemas. This prototype pollution enables attackers to bypass the default request keyword denylist protection and class-level permission controls that are designed to prevent unauthorized field additions to schemas. When an attacker sends a specially crafted request, the vulnerable deep copy library processes the prototype properties in a way that allows malicious fields to be injected into class schemas, even when those schemas have field addition restrictions enabled. The attack leverages the fact that prototype pollution in JavaScript environments can lead to unexpected behavior when objects are cloned or merged, particularly in systems that do not properly handle prototype properties during deep cloning operations.
The operational impact of this vulnerability extends beyond simple data injection, as it creates permanent schema type conflicts that cannot be resolved even with master key access. This represents a particularly dangerous condition because it affects the fundamental schema structure of the database, potentially causing system-wide disruptions and data integrity issues. The vulnerability allows attackers to inject fields that would normally be blocked by the system's security controls, leading to unauthorized modifications of class schemas and potential data corruption. Once the schema pollution occurs, the system becomes unstable and may require complete reinitialization to resolve the conflicts, as the master key cannot override the prototype pollution effects that have fundamentally altered the schema definitions. This vulnerability directly relates to CWE-471, which addresses the issue of prototype pollution in software systems, and aligns with ATT&CK technique T1566.001 for initial access through malicious input and T1078.004 for valid accounts usage in privilege escalation.
The remediation for this vulnerability involves upgrading to Parse Server versions 9.6.0-alpha.20 or 8.6.44, which replace the vulnerable third-party deep copy library with a built-in deep clone mechanism that properly handles prototype properties. This fix ensures that prototype properties are sanitized during cloning operations, allowing the existing denylist checks to function correctly and reject prohibited keywords as intended. The updated implementation prevents the injection of malicious prototype properties that could otherwise bypass security controls and corrupt schema definitions. Organizations affected by this vulnerability should immediately implement the upgrade to the patched versions and conduct thorough security assessments of their Parse Server deployments to identify any potential exploitation that may have occurred before the fix was applied. Security teams should also monitor for any attempts to exploit this vulnerability through unauthorized schema modifications or data injection attempts that might have occurred during the window when the system was vulnerable to prototype pollution attacks.