CVE-2026-33539 in parse-server
Summary
by MITRE • 03/24/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/29/2026
This vulnerability exists within Parse Server, a popular open source backend framework designed to run on Node.js infrastructure. The flaw represents a critical privilege escalation vulnerability that allows attackers with master key access to execute arbitrary SQL commands against PostgreSQL databases. The vulnerability specifically targets the aggregation pipeline stage using the $group operator and the distinct operation within Parse Server's database abstraction layer. The technical implementation involves insufficient input validation and sanitization of field name parameters that are directly incorporated into SQL queries without proper escaping or parameterization.
The core technical flaw stems from improper handling of user-supplied field names in database operations, creating a classic SQL injection vector. When attackers provide maliciously crafted field name parameters, the SQL metacharacters are directly embedded into the database query strings without adequate sanitization. This vulnerability maps to CWE-89 SQL Injection, which is classified as a high-severity weakness in the Common Weakness Enumeration catalog. The attack surface is specifically limited to PostgreSQL deployments, as MongoDB implementations are not affected by this particular flaw. The vulnerability affects the database abstraction layer within Parse Server's data access components, where field names from user requests are directly translated into SQL query structures.
The operational impact of this vulnerability is severe and far-reaching for affected organizations. An attacker who has obtained the master key can escalate their privileges from application-level administrative access to full database-level control, potentially allowing for data exfiltration, data modification, or complete database compromise. The vulnerability enables attackers to execute arbitrary SQL commands including but not limited to SELECT, INSERT, UPDATE, DELETE operations, and potentially administrative commands that could lead to complete system compromise. This represents a significant escalation of privileges from application to database level, which is particularly concerning given that the master key is typically considered a high-privilege credential. The vulnerability affects organizations running Parse Server with PostgreSQL backends, potentially impacting thousands of applications that rely on this open source framework for their backend services.
Organizations should immediately upgrade to Parse Server versions 8.6.59 or 9.6.0-alpha.53 to remediate this vulnerability. The patch addresses the root cause by implementing proper input validation and parameterization of field names in database operations. Security teams should conduct immediate vulnerability assessments to identify all affected Parse Server deployments and ensure proper access controls are in place for master key management. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques, specifically leveraging weaknesses in application-level authentication and authorization mechanisms. Organizations should also implement network segmentation and database access controls to limit the blast radius of potential exploitation, while monitoring for unusual database activity that might indicate exploitation attempts. Given that the vulnerability requires master key access, organizations should review their key management practices and implement multi-factor authentication for critical administrative credentials to reduce the attack surface.