Parse Server is an open-source backend framework that runs on Node.js and supports file management through its Files API. In versions prior to 8.6.5 and 9.5.0-alpha.3, a critical authorization flaw exists involving the readOnlyMasterKey. This key is designed to provide read-only access, preventing modification or deletion of files. However, due to incorrect authorization checks (CWE-863), the readOnlyMasterKey could be used to perform unauthorized POST and DELETE requests on the Files API endpoints (/files/:filename). This allows an attacker who has obtained the readOnlyMasterKey to upload arbitrary files or delete existing files, effectively bypassing the intended read-only restriction. The vulnerability does not require user interaction or additional authentication beyond possession of the readOnlyMasterKey, and it can be exploited remotely over the network. The flaw compromises the integrity and availability of files managed by the parse-server deployment. The vulnerability has been assigned CVE-2026-30228 and carries a CVSS 4.0 score of 6.9, reflecting a medium severity level. No public exploits have been observed in the wild yet. The issue was addressed and patched in parse-server versions 8.6.5 and 9.5.0-alpha.3 by correcting the authorization logic to enforce proper access control for the readOnlyMasterKey on file operations.

This vulnerability impacts the integrity and availability of files managed by parse-server deployments using the readOnlyMasterKey and exposing the Files API. An attacker with access to the readOnlyMasterKey can upload malicious files, potentially leading to the distribution of malware or unauthorized content. They can also delete critical files, causing data loss or service disruption. This could affect applications relying on parse-server for backend services, including mobile and web applications, leading to compromised user trust and operational downtime. Since the readOnlyMasterKey is intended to limit access, its misuse undermines security assumptions and could facilitate further attacks if attackers use uploaded files as a foothold. Organizations worldwide that deploy parse-server in production environments with exposed Files API endpoints and use the readOnlyMasterKey are at risk. Although exploitation requires possession of the key, if leaked or improperly stored, the impact can be significant. No known active exploits reduce immediate widespread risk, but the vulnerability should be addressed promptly to prevent future attacks.

1. Upgrade all parse-server deployments to version 8.6.5 or later (including 9.5.0-alpha.3 or later) where the vulnerability is patched. 2. Audit and rotate the readOnlyMasterKey to ensure any potentially compromised keys are invalidated. 3. Restrict access to the readOnlyMasterKey strictly, storing it securely using environment variables or secret management solutions, and avoid exposing it in client-side code or logs. 4. Limit exposure of the Files API endpoints by implementing network-level controls such as IP whitelisting, VPN access, or API gateways with authentication and authorization enforcement. 5. Monitor file upload and deletion activities for anomalies or unauthorized operations, leveraging logging and alerting mechanisms. 6. Conduct regular security reviews of key management practices and access controls to prevent unauthorized key disclosure. 7. Consider implementing additional application-layer authorization checks to supplement parse-server’s built-in controls. 8. Educate development and operations teams about the risks of key leakage and the importance of timely patching.