Parse Server is an open-source backend framework running on Node.js, widely used for mobile and web applications. In versions prior to 8.6.5 and 9.5.0-alpha.3, a critical authorization flaw (CWE-863) exists in the handling of the readOnlyMasterKey within the Files API. The readOnlyMasterKey is designed to provide read-only access, preventing modification or deletion of files. However, due to incorrect authorization checks, this key can be exploited to perform unauthorized POST and DELETE requests on /files/:filename endpoints, allowing attackers to upload arbitrary files or delete existing files. This bypass undermines the security model and can lead to data tampering, data loss, or injection of malicious files. The vulnerability does not require user interaction and can be exploited remotely over the network if the attacker has the readOnlyMasterKey, which is a high-privilege credential. The issue was publicly disclosed in March 2026 and has been addressed in versions 8.6.5 and 9.5.0-alpha.3. No public exploits have been observed, but the vulnerability poses a significant risk to deployments exposing the Files API with the affected key configuration.

The vulnerability allows attackers with the readOnlyMasterKey to bypass intended read-only restrictions and perform unauthorized file uploads and deletions. This can lead to several impacts: compromise of data integrity by deleting critical files or replacing them with malicious payloads; potential service disruption if essential files are deleted; injection of malicious files that could be used for further attacks such as malware distribution or server-side code execution if the environment processes uploaded files insecurely; erosion of trust and potential data loss for end users relying on the backend. Organizations relying on parse-server for backend services, especially those exposing the Files API publicly or to untrusted networks, face risks of data manipulation and availability issues. Since exploitation requires possession of the readOnlyMasterKey, the impact is contingent on the security of this key, but if leaked or compromised, the threat is significant.

1. Upgrade all parse-server deployments to version 8.6.5 or later (or 9.5.0-alpha.3 or later) to apply the official patch that corrects the authorization logic. 2. Audit and rotate all readOnlyMasterKeys in use, especially if there is any suspicion of compromise or exposure. 3. Restrict access to the Files API endpoints to trusted networks or authenticated users where possible, minimizing exposure of the readOnlyMasterKey. 4. Implement strict monitoring and alerting on file creation and deletion activities within parse-server logs to detect anomalous usage patterns. 5. Employ network-level controls such as firewalls or API gateways to limit access to sensitive API endpoints. 6. Review and harden key management practices to ensure that the readOnlyMasterKey is stored securely and not embedded in client-side code or publicly accessible configurations. 7. Consider additional application-layer validation or file integrity checks to detect unauthorized file modifications.