CVE-2026-30228: Parse Server Auth Bypass Vulnerability

CVE-2026-30228 Overview

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A critical authorization bypass vulnerability has been identified in Parse Server's Files API where the readOnlyMasterKey can be used to perform unauthorized write and delete operations on files. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey.

Critical Impact

Any Parse Server deployment using readOnlyMasterKey with an exposed Files API is vulnerable. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files, potentially leading to data loss, defacement, or malicious file injection.

Affected Products

• parseplatform parse-server versions prior to 8.6.5
• parseplatform parse-server versions 9.5.0-alpha1 and 9.5.0-alpha2
• Any Parse Server deployment using readOnlyMasterKey with exposed Files API

Discovery Timeline

• 2026-03-06 - CVE CVE-2026-30228 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-30228

Vulnerability Analysis

This vulnerability (CWE-863: Incorrect Authorization) exists in Parse Server's Files API authorization logic. The readOnlyMasterKey is designed to provide read-only access to Parse Server resources, allowing operations like querying data without the ability to modify or delete it. However, the Files API endpoints for file creation (POST /files/:filename) and file deletion (DELETE /files/:filename) fail to properly enforce the read-only restriction when requests are authenticated using the readOnlyMasterKey.

The authorization mechanism does not distinguish between the full masterKey and the readOnlyMasterKey when processing file upload and deletion requests. This allows an attacker with knowledge of the readOnlyMasterKey to perform privileged write operations that should be restricted.

Root Cause

The root cause is improper authorization checks in the Files API request handlers. When a request is made to create or delete a file, the server validates that a master key is present but fails to verify whether the key being used is the read-only variant. The authorization logic treats both masterKey and readOnlyMasterKey equivalently for these operations, violating the principle of least privilege and the intended access control model.

Attack Vector

The attack vector is network-based and requires the attacker to have prior knowledge of the readOnlyMasterKey. An attacker can exploit this vulnerability by:

1. Obtaining the readOnlyMasterKey (often shared more liberally than the full masterKey due to its presumed read-only nature)
2. Crafting HTTP requests to the Files API endpoints with the readOnlyMasterKey in the X-Parse-Master-Key header
3. Uploading malicious files via POST /files/:filename or deleting legitimate files via DELETE /files/:filename

The vulnerability can be exploited remotely without user interaction. Since the readOnlyMasterKey is often distributed to services or users that only need read access, the attack surface may be larger than expected. Exploitation allows file uploads (potentially enabling stored XSS or malware distribution) and file deletion (causing data loss or service disruption).

Detection Methods for CVE-2026-30228

Indicators of Compromise

• Unexpected file creation or deletion activity in Parse Server logs
• Files API requests using readOnlyMasterKey with POST or DELETE methods
• New or modified files in storage that were not created through legitimate application flows
• Anomalous patterns in file storage access logs correlating with readOnlyMasterKey authentication

Detection Strategies

• Monitor Parse Server access logs for POST /files/ and DELETE /files/ requests authenticated with readOnlyMasterKey
• Implement alerting on file creation or deletion events that occur outside normal application behavior
• Review authentication headers in web server logs to identify misuse of readOnlyMasterKey for write operations
• Deploy application-layer monitoring to track file operations and correlate with authentication mechanisms

Monitoring Recommendations

• Enable detailed logging for all Files API operations including authentication method used
• Set up file integrity monitoring on Parse Server storage backends to detect unauthorized modifications
• Create dashboards to visualize file operation trends and identify anomalous spikes in creation or deletion
• Implement real-time alerting for any write operations attempted with readOnlyMasterKey

How to Mitigate CVE-2026-30228

Immediate Actions Required

• Upgrade Parse Server to version 8.6.5 or 9.5.0-alpha.3 immediately
• Rotate both masterKey and readOnlyMasterKey after upgrading to invalidate any potentially compromised keys
• Audit file storage for unauthorized files or missing legitimate files
• Review access logs to determine if the vulnerability was exploited prior to patching

Patch Information

Parse Server has released patched versions that properly enforce read-only restrictions for the readOnlyMasterKey on Files API endpoints. The fix ensures that file creation and deletion operations are blocked when authenticated with readOnlyMasterKey.

For complete details on the vulnerability and patch, refer to the GitHub Security Advisory GHSA-xfh7-phr7-gr2x.

Workarounds

• Restrict network access to the Files API endpoints using firewall rules or reverse proxy configurations
• If readOnlyMasterKey is not required, disable its use entirely in your Parse Server configuration
• Implement additional authentication layers (API gateway, WAF rules) to validate authorized sources for file operations
• Temporarily disable the Files API if file upload/download functionality is not critical to operations until patching is complete