Listen to this Post
The vulnerability stems from a logical flaw in how Parse Server handles the readOnlyMasterKey. Designed to provide read-only access to data, this key was inadvertently granted write privileges to the Files API. The core issue lies in the server’s authorization checks for the `POST /files/:filename` and `DELETE /files/:filename` endpoints. These endpoints failed to validate that the requesting key was not the readOnlyMasterKey. An attacker who possesses this key, which is often embedded in client-side applications for read-only operations, can exploit this oversight. By crafting direct HTTP requests to these file endpoints, the attacker can bypass the intended read-only restriction. This allows for the arbitrary creation of files on the server, potentially leading to the upload of malicious scripts, or the deletion of existing user-generated content and assets. The flaw affects all server configurations where the `readOnlyMasterKey` is utilized and the Files API is enabled. Patches have been released that now enforce proper permission checks, ensuring that the master key’s read-only scope is respected across all API handlers, including file operations .
dailycve form:
Platform: Parse Server
Version: <8.6.5, 9.0.0-9.5.0-alpha.3
Vulnerability : Authorization Bypass
Severity: Moderate (CVSS:6.9)
date: 5 Mar 2026
Prediction: Patch already available
What Undercode Say:
Analytics:
This vulnerability (CVE-2026-30228) highlights a critical authorization oversight in Parse Server. The root cause is the failure to validate the `readOnlyMasterKey` against write operations in the Files API handler. The CVSS v4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N) indicates a medium severity with high impact on integrity . The flaw exists in the specific logic path for file routes, separate from standard object access controls. An attacker with knowledge of the key can manipulate the file system directly via HTTP requests.
Exploit:
Exploit Example: Uploading a file using the readOnlyMasterKey 1. Set the target server and key TARGET_URL="https://your-parse-server.com" READ_ONLY_KEY="your_read_only_master_key_value" FILENAME="exploit-test.txt" 2. Create a malicious file content echo "This file was uploaded using the readOnlyMasterKey" > malicious.txt 3. Send the POST request to create the file curl -X POST \ "$TARGET_URL/files/$FILENAME" \ -H "X-Parse-Application-Id: YOUR_APP_ID" \ -H "X-Parse-Master-Key: $READ_ONLY_KEY" \ -H "Content-Type: text/plain" \ --data-binary @malicious.txt Expected behavior before patch: File is created successfully. After patch: Request is denied with authorization error. 4. Exploit Deletion: Delete the file using the same key curl -X DELETE \ "$TARGET_URL/files/$FILENAME" \ -H "X-Parse-Application-Id: YOUR_APP_ID" \ -H "X-Parse-Master-Key: $READ_ONLY_KEY"
Protection from this CVE:
Immediate Mitigation Steps 1. Upgrade Parse Server to a patched version For version 8.x, upgrade to 8.6.5 or later For version 9.x, upgrade to 9.5.0-alpha.3 or later Using npm npm install [email protected] OR npm install [email protected] 2. If immediate upgrade is not possible, restrict network access Block external access to the Files API endpoints (/files/) Example using iptables sudo iptables -A INPUT -p tcp --dport 1337 -m string --string "/files/" --algo bm -j DROP 3. Audit server logs for unauthorized file operations grep -i "POST /files/" /var/log/parse-server.log | grep -i "masterkey" grep -i "DELETE /files/" /var/log/parse-server.log | grep -i "masterkey"
Impact:
An attacker can bypass the read-only restriction to perform unauthorized file operations. This leads to integrity loss (VI:H) as arbitrary file uploads can introduce malicious content or deface applications. Arbitrary file deletions can cause data loss and service disruption. While confidentiality and availability are not directly scored, deletion of assets can lead to indirect denial of service. The attack complexity is low, requiring only network access and possession of the `readOnlyMasterKey` .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
Vercel Workflow, Predictable Webhook Tokens, CVE-2026-XXXX (Medium)
