Parse Server, Information Disclosure, CVE-2026-30835 (Medium)

Listen to this Post

A malformed `$regex` query parameter (e.g., [abc) causes the database to return a structured error object. This error object, rich with database internals such as error messages, codes, code names, cluster timestamps, and topology details, is passed unsanitized directly to the API client . This vulnerability, identified as CWE-209 (Generation of Error Message Containing Sensitive Information), allows any client that can send query requests to potentially map the internal database architecture . The exploitability depends on the deployment’s permission configuration, but it requires no privileges and no user interaction . Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 are affected . The fix implemented sanitizes these database error objects, replacing detailed errors with a generic “An internal server error occurred” message to clients while logging the full details server-side. This fix also respects the `enableSanitizedErrorResponse` server option, allowing administrators to control this behavior .

dailycve form:

Platform: Parse Server
Version: <8.6.7, <9.5.0-alpha.6
Vulnerability: Information Disclosure
Severity: Medium
date: 2026-03-05

Prediction: Patch available

What Undercode Say:

Analytics:

Check your Parse Server version:

npm list parse-server

Or for global installations:

parse-server --version

Simulate a vulnerable request to test for exposure (do not use on production systems):

Replace URL and App ID with your target's values
curl -X GET \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
'https://your-parse-server.com/parse/classes/YourClass?where={"field":{"$regex":"[abc"}}'

If the response contains database error codes, cluster timestamps, or topology details instead of a generic error, the system is vulnerable .

Exploit:

An attacker can send a specifically malformed regex query to elicit detailed database errors:

curl -X GET \
-H "X-Parse-Application-Id: TARGET_APP_ID" \
'https://target-parse-server.com/parse/classes/AnyClass?where={"sensitiveField":{"$regex":"[abc"}}'

The server responds with an error object that leaks internal database information, such as `MongoError` details, topology IDs, or cluster timestamps, which can be used for further reconnaissance .

Protection from this CVE

  • Upgrade to patched versions: 8.6.7 or 9.5.0-alpha.6 (or later) .
  • Ensure the `enableSanitizedErrorResponse` server option is set to `true` (default in patched versions) to enforce generic error messages .
  • Monitor server logs for detailed errors to identify any attempted exploitation without exposing details to clients.

Impact:

  • Information Disclosure: Leaks sensitive database internals like error messages, codes, and topology details .
  • Security Reconnaissance: Exposed data helps attackers map the database architecture and prepare more targeted attacks.
  • Compliance Risk: Disclosure of system details may violate data protection policies by exposing internal infrastructure information.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top