Parse Server is an open-source backend framework that runs on Node.js and is widely used to build applications requiring backend services. The vulnerability identified as CVE-2026-30229 relates to an incorrect authorization control (CWE-863) in the handling of the readOnlyMasterKey credential. Normally, the readOnlyMasterKey is intended to provide limited, read-only access to the backend. However, in versions prior to 8.6.6 and 9.5.0-alpha.4, this key could be used to invoke the POST /loginAs endpoint. This endpoint is designed to allow privileged keys to impersonate users by generating valid session tokens. Due to improper authorization checks, the readOnlyMasterKey could bypass restrictions and obtain session tokens for any user, granting full read and write access to their data. This flaw effectively elevates the privileges of a read-only credential to full user impersonation, compromising confidentiality and integrity of user data. The vulnerability is remotely exploitable without user interaction or additional authentication beyond possession of the readOnlyMasterKey. The CVSS 4.0 base score of 8.5 reflects the critical nature of the vulnerability, with network attack vector, low attack complexity, no privileges required beyond the readOnlyMasterKey, and high impact on confidentiality and integrity. The issue has been patched in versions 8.6.6 and 9.5.0-alpha.4, and users are strongly advised to upgrade. No public exploits have been reported yet, but the vulnerability poses a significant risk to any affected deployment.

The vulnerability allows an attacker with access to the readOnlyMasterKey to impersonate any user and gain full read and write access to their data. This can lead to unauthorized data disclosure, data modification, and potential data destruction. Organizations relying on parse-server for backend services risk severe breaches of user privacy and data integrity. Attackers could manipulate user data, escalate privileges, or perform fraudulent actions on behalf of users. Since the readOnlyMasterKey is often used in integrations or monitoring, its compromise could go unnoticed, enabling persistent unauthorized access. The impact extends to any application built on parse-server, including mobile apps, web services, and IoT backends, potentially affecting millions of users. The vulnerability undermines trust in the security of affected applications and could lead to regulatory penalties if sensitive data is exposed. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency of remediation.

1. Immediately upgrade all parse-server deployments to version 8.6.6 or later (including 9.5.0-alpha.4 and beyond) to apply the official patch addressing this vulnerability. 2. Audit and rotate all readOnlyMasterKey credentials to prevent unauthorized use of compromised keys. 3. Restrict access to the readOnlyMasterKey to trusted systems and personnel only, employing strict access controls and monitoring. 4. Implement network-level controls such as IP whitelisting and firewall rules to limit access to parse-server administrative endpoints. 5. Enable detailed logging and monitoring of all authentication and session token generation activities, especially calls to POST /loginAs, to detect anomalous usage. 6. Conduct a thorough review of application and backend logs to identify any suspicious activity or potential exploitation prior to patching. 7. Educate development and operations teams about the risks of improper key management and the importance of timely patching. 8. Consider implementing additional application-layer authorization checks or multi-factor authentication for sensitive operations if feasible. 9. Regularly review and update security policies related to key management and backend access controls to prevent similar issues.