Parse Server, Missing Authorization, CVE-2026-30850 (moderate)

Listen to this Post

The vulnerability resides in the file metadata endpoint (GET /files/:appId/metadata/:filename). In affected versions of Parse Server, this endpoint does not invoke the `beforeFind` and `afterFind` triggers that developers often attach to the `Parse.File` class. These triggers are commonly used as security gates to implement custom access control logic, such as verifying if a user has permission to view a specific file’s metadata. Because the endpoint handler bypasses this trigger pipeline entirely, an attacker who can guess or enumerate a valid filename can access its associated metadata without any authorization checks. This exposure is limited to user-defined key-value pairs set via addMetadata; the actual file content remains protected. The vulnerability exists only in deployments that rely on these specific triggers for access control. The patch modifies the metadata handler to properly execute the `beforeFind` and `afterFind` triggers and returns an HTTP 403 Forbidden status if access is denied by the trigger logic .

dailycve form:

Platform: Parse Server
Version: <8.6.9, 9.0.0-alpha.1-9.5.0-alpha.9
Vulnerability : Missing Authorization
Severity: moderate
date: March 7, 2026

Prediction: April 2026

What Undercode Say:

Analytics:

Check current version
npm list parse-server
Determine if app uses vulnerable triggers
grep -r "Parse.Cloud.beforeFind(Parse.File" ./src
grep -r "Parse.Cloud.afterFind(Parse.File" ./src
Test for vulnerability (replace placeholders)
curl -I "http://your-parse-server.com/parse/files/YOUR_APP_ID/metadata/somefile.txt"

Exploit:

Direct metadata access bypassing beforeFind/afterFind
curl -X GET \
"http://target-parse.com/parse/files/APP_ID/metadata/target.jpg" \
-H "X-Parse-Application-Id: APP_ID"

Protection:

Immediate Workaround: Block route via middleware
app.get('/parse/files/:appId/metadata/:filename', (req, res) => {
res.status(403).json({ error: 'Forbidden' });
});
Permanent Fix: Upgrade to patched version
npm install [email protected]
or for v9 users:
npm install [email protected]

Impact:

Unauthorized metadata exposure. Attackers can read file metadata used for access control logic, potentially enumerating files and leaking sensitive information stored as metadata.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top