Parse Server is an open-source backend framework running on Node.js, widely used for mobile and web applications. It supports a readOnlyMasterKey option designed to provide master-level read access while denying write operations, thereby limiting the scope of access for certain administrative tasks. However, in versions prior to 8.6.4 and 9.4.1-alpha.3, some API endpoints erroneously accept the readOnlyMasterKey for mutating operations, violating the intended access control policy (CWE-863: Incorrect Authorization). This flaw enables an attacker who has obtained the readOnlyMasterKey to perform unauthorized write actions such as creating, modifying, or deleting Cloud Hooks and initiating Cloud Jobs. These capabilities can be leveraged to execute arbitrary code or exfiltrate sensitive data from the backend. The vulnerability does not require user interaction and can be exploited remotely over the network without additional privileges beyond possession of the readOnlyMasterKey. The issue was publicly disclosed and assigned CVE-2026-29182 with a CVSS v4.0 base score of 8.6 (high severity), reflecting its significant impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date. The vulnerability affects all deployments using the readOnlyMasterKey option on vulnerable versions, emphasizing the importance of upgrading to patched releases 8.6.4 or 9.4.1-alpha.3 to remediate the risk.

The vulnerability allows attackers with the readOnlyMasterKey to bypass intended authorization restrictions and perform unauthorized write operations on the Parse Server backend. This can lead to unauthorized creation or modification of Cloud Hooks and Cloud Jobs, which are mechanisms that can execute arbitrary backend code or trigger workflows. Consequently, attackers can manipulate backend logic, exfiltrate sensitive data, or disrupt service availability. The compromise of Cloud Hooks and Jobs can also facilitate persistent access or lateral movement within the affected infrastructure. Since the readOnlyMasterKey is a high-privilege credential, its exposure combined with this flaw significantly elevates the risk of data breaches and operational disruption. Organizations relying on Parse Server for critical applications may face data confidentiality violations, integrity breaches, and potential service outages. The ease of remote exploitation without user interaction further exacerbates the threat, making timely patching essential to prevent exploitation.

1. Upgrade all Parse Server deployments to version 8.6.4 or later, or 9.4.1-alpha.3 or later, where the vulnerability is patched. 2. Immediately audit and rotate the readOnlyMasterKey to invalidate any potentially compromised keys. 3. Restrict access to the readOnlyMasterKey by enforcing strict access controls and limiting its distribution only to trusted administrators and systems. 4. Monitor logs and Cloud Hook/Job activities for unusual or unauthorized operations that could indicate exploitation attempts. 5. Implement network-level protections such as IP whitelisting and firewall rules to limit access to Parse Server endpoints. 6. Consider disabling the readOnlyMasterKey option if not strictly necessary or use alternative access control mechanisms with more granular permissions. 7. Conduct regular security reviews and penetration testing focused on authorization controls within Parse Server deployments. 8. Educate developers and administrators about the risks of key exposure and the importance of secure key management practices.