Parse Server, SQL Injection, CVE-2026-32234 (Moderate)

Listen to this Post

Parse Server is vulnerable to a SQL injection attack via query field names when configured to use a PostgreSQL database . An attacker who possesses the master key can exploit this by sending a crafted query containing a `$regex` operator with a malicious field name . Because the field name is passed to PostgreSQL using unparameterized string interpolation, the attacker’s payload can break out of the intended query context and execute arbitrary SQL commands . This bypasses the Parse Server abstraction layer entirely and operates directly at the database level, potentially allowing the attacker to read, modify, or delete data beyond their permissions . The vulnerability affects all versions prior to 9.6.0-alpha.10 and 8.6.36 . The fix involves proper SQL identifier escaping and stricter validation of field names for all query types .

DailyCVE Form:

Platform: Parse Server PostgreSQL
Version: <8.6.36, <9.6.0-alpha.10
Vulnerability :SQL Injection
Severity: Moderate
date: 2026-03-11

Prediction: Patch already available

What Undercode Say:

Analytics:

This vulnerability (CVE-2026-32234) was published to the NVD on March 11, 2026, and reviewed by the GitHub Advisory Database on March 12, 2026 . The CVSS v4.0 score is 5.1, with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N, indicating a network-based attack with high privileges required (master key) and low impact on confidentiality, integrity, and availability . The vulnerability only affects deployments using PostgreSQL .

Exploit:

An attacker with the master key could exploit this by sending a request with a specially crafted field name in a `$regex` constraint. For example, a query with a field name like `”‘; DROP TABLE ParseData; –“` within the `$regex` operator could cause the database to execute the injected SQL command when the field name is improperly interpolated.

Example of a malicious curl command (conceptual)
curl -X GET \
'http://your-parse-server.com/classes/YourClass' \
-H 'X-Parse-Application-Id: YOUR_APP_ID' \
-H 'X-Parse-Master-Key: YOUR_MASTER_KEY' \
--data-urlencode 'where={"$regex":{""; DELETE FROM "Users" WHERE "1"="1": {"$regex": "."}}}'

Protection from this CVE:

Immediately update Parse Server to the patched versions: 8.6.36 or 9.6.0-alpha.10 or later . There are no known workarounds . As a defense-in-depth measure, restrict access to the master key and monitor database query logs for any anomalies.

Impact:

Successful exploitation allows an attacker with the master key to execute arbitrary SQL commands on the PostgreSQL database . This can lead to unauthorized reading, modification, or deletion of data, bypassing the security controls implemented by Parse Server . The confidentiality, integrity, and availability of the database can be compromised, though the CVSS score suggests the impact is limited .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top