Parse Server is an open-source backend framework that runs on Node.js and is widely used for mobile and web applications to manage user data and sessions. The vulnerability identified as CVE-2026-30229 stems from an incorrect authorization check (CWE-863) in the parse-server's handling of the readOnlyMasterKey credential. Normally, the readOnlyMasterKey is intended to provide limited, read-only access to data. However, in versions prior to 8.6.6 and 9.5.0-alpha.4, this key could be used to call the POST /loginAs endpoint, which is designed to create a session token for any user. This flaw effectively elevates the privileges of the readOnlyMasterKey, allowing it to impersonate any user and gain full read and write access to their data, violating the principle of least privilege. Exploitation requires possession of the readOnlyMasterKey but no further authentication or user interaction. The vulnerability is remotely exploitable over the network, making it a critical risk for exposed parse-server deployments. The issue has been addressed in the patched versions 8.6.6 and 9.5.0-alpha.4, which enforce proper authorization checks preventing misuse of the readOnlyMasterKey. No public exploits have been reported yet, but the high CVSS score of 8.5 reflects the significant risk posed by this vulnerability.

This vulnerability allows attackers with access to the readOnlyMasterKey to fully impersonate any user, gaining unauthorized read and write access to sensitive data. For organizations, this can lead to data breaches, unauthorized data manipulation, and potential compromise of user accounts and privacy. Since parse-server is used as a backend for many mobile and web applications, exploitation could affect a broad range of services, potentially impacting customer trust and regulatory compliance. The ability to escalate privileges from read-only to full access undermines security controls and could facilitate further attacks such as data exfiltration, injection of malicious data, or disruption of service. The remote exploitability and lack of required user interaction increase the threat level, especially for deployments exposing parse-server endpoints to the internet. Organizations relying on the readOnlyMasterKey for limited access must consider this vulnerability critical and prioritize patching to avoid severe operational and reputational damage.

Organizations should immediately upgrade parse-server to version 8.6.6 or later, or 9.5.0-alpha.4 or later, where the vulnerability is patched. If upgrading is not immediately possible, restrict network access to the parse-server endpoints, especially the POST /loginAs endpoint, using firewalls or network segmentation to limit exposure. Review and rotate the readOnlyMasterKey credentials to prevent unauthorized use. Implement strict access controls and monitoring around key usage to detect anomalous activity indicative of exploitation attempts. Additionally, audit application logs for suspicious loginAs requests and session token creations. Consider disabling or restricting the use of the readOnlyMasterKey where feasible, or replacing it with more granular access controls. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to block unauthorized POST /loginAs calls. Finally, educate development and operations teams about the risks associated with master keys and enforce secure key management practices.