CVE-2026-30229 Overview
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A critical authorization bypass vulnerability was discovered in Parse Server where the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data, effectively bypassing the intended access control restrictions.
Critical Impact
Any Parse Server deployment using readOnlyMasterKey is vulnerable to complete user impersonation, allowing attackers with read-only credentials to gain full read and write access to any user's data.
Affected Products
- parseplatform parse-server versions prior to 8.6.6
- parseplatform parse-server versions 9.5.0-alpha1 through 9.5.0-alpha3
- Any Parse Server deployment utilizing the readOnlyMasterKey feature
Discovery Timeline
- 2026-03-06 - CVE-2026-30229 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30229
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization), representing a fundamental flaw in the access control mechanism of Parse Server. The readOnlyMasterKey was designed to provide restricted, read-only access to the Parse Server API, enabling use cases where applications need to query data without modification privileges.
However, the /loginAs endpoint fails to properly validate the authorization level of the requesting key. When a request is made using the readOnlyMasterKey, the endpoint incorrectly grants the ability to generate valid session tokens for arbitrary users. These session tokens provide full read and write access to the target user's data, completely circumventing the read-only restriction that the readOnlyMasterKey was intended to enforce.
Root Cause
The root cause lies in improper authorization checks within the /loginAs endpoint implementation. The endpoint does not distinguish between the masterKey (which should have full administrative privileges) and the readOnlyMasterKey (which should be restricted to read-only operations). This missing authorization boundary allows the read-only key to perform privileged operations that should only be available to the full master key.
Attack Vector
An attacker with access to a readOnlyMasterKey can exploit this vulnerability remotely over the network. The attack requires no user interaction and can be executed with low complexity. The attacker makes a POST request to the /loginAs endpoint, specifying the target user they wish to impersonate. The server incorrectly validates the request and returns a valid session token for that user.
With this session token, the attacker can:
- Read all private data belonging to the impersonated user
- Modify or delete the user's data
- Perform any action the legitimate user could perform
- Potentially escalate to other users by repeating the attack
The vulnerability is exploited by sending a crafted HTTP POST request to the /loginAs endpoint with the readOnlyMasterKey in the request headers along with the target user's identifier. The server responds with a valid session token that grants full access to that user's account. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-30229
Indicators of Compromise
- Unexpected POST /loginAs requests in server logs originating from systems using readOnlyMasterKey authentication
- Session tokens generated for users without corresponding legitimate login activity
- Anomalous data access or modification patterns from sessions initiated via the /loginAs endpoint
- Multiple user impersonation attempts from a single source using read-only credentials
Detection Strategies
- Monitor Parse Server access logs for POST /loginAs requests authenticated with X-Parse-Master-Key headers that correspond to known readOnlyMasterKey values
- Implement alerting on any /loginAs endpoint usage and correlate with authorized administrative actions
- Audit session creation events and flag sessions created through the /loginAs endpoint for review
- Deploy runtime application security monitoring to detect authorization bypass attempts
Monitoring Recommendations
- Enable verbose logging on Parse Server to capture all authentication-related events including the key type used
- Configure SIEM rules to correlate /loginAs requests with the authentication method to identify misuse of readOnlyMasterKey
- Establish baseline metrics for legitimate /loginAs usage and alert on deviations
- Review access logs periodically for any historical exploitation attempts
How to Mitigate CVE-2026-30229
Immediate Actions Required
- Upgrade Parse Server to version 8.6.6 or 9.5.0-alpha.4 immediately
- Rotate all readOnlyMasterKey values to invalidate any potentially compromised keys
- Audit server logs for any suspicious /loginAs requests that may indicate exploitation
- Review all user sessions and terminate any sessions created through unauthorized means
Patch Information
Parse Server has released security patches addressing this vulnerability. Organizations should upgrade to one of the following versions:
- Stable Release:Version 8.6.6
- Alpha Release:Version 9.5.0-alpha.4
For complete details on the vulnerability and patch information, see the GitHub Security Advisory GHSA-79wj-8rqv-jvp5.
Workarounds
- If immediate patching is not possible, disable or remove the readOnlyMasterKey from your Parse Server configuration until the upgrade can be completed
- Implement network-level restrictions to limit access to the /loginAs endpoint to trusted administrative systems only
- Deploy a reverse proxy or web application firewall (WAF) to block POST requests to /loginAs when authenticated with non-master keys
# Example: Disable readOnlyMasterKey in Parse Server configuration
# Remove or comment out the readOnlyMasterKey option until patched
# In your parse-server configuration file:
# readOnlyMasterKey: 'your-read-only-key' # REMOVE THIS LINE
# After patching, update Parse Server via npm
npm update parse-server@8.6.6
# Or for alpha channel
npm update parse-server@9.5.0-alpha.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
