Parse Server is an open-source backend framework that supports deployment on any infrastructure running Node.js. It uses internal tables to manage Relation field mappings, such as role memberships, which enforce role-based access controls via Class-Level Permissions (CLP). In affected versions prior to 9.5.2-alpha.7 and 8.6.20, these internal tables are improperly protected and can be accessed directly through the REST or GraphQL APIs by any client possessing only the application key, without requiring the master key or any additional authentication. This improper access control (CWE-284) allows attackers to manipulate role membership data, effectively injecting themselves into any role. By doing so, attackers gain all permissions assigned to that role, including full read, write, and delete capabilities on protected classes. Additionally, attackers can bypass pointerFields CLP restrictions by modifying the underlying Relation field tables. The vulnerability is remotely exploitable over the network without user interaction, making it highly dangerous. The CVSS v3.1 score is 10.0 (critical), reflecting the high impact on confidentiality, integrity, and availability, ease of exploitation, and broad scope. The issue is resolved in parse-server versions 9.5.2-alpha.7 and 8.6.20.

This vulnerability poses a severe risk to organizations using affected versions of parse-server, as attackers can escalate privileges by injecting themselves into any role, gaining full access to sensitive data and operations protected by role-based permissions. This compromises confidentiality by exposing sensitive data, integrity by allowing unauthorized data modification or deletion, and availability by potentially disrupting services through destructive actions. Since the exploit requires only the application key and no authentication, any exposed parse-server instance is vulnerable to remote attacks. Organizations relying on parse-server for backend services, especially those handling sensitive user data or critical business logic, face risks of data breaches, unauthorized data manipulation, and service disruption. The vulnerability undermines the fundamental access control mechanisms, potentially leading to widespread compromise of backend data and applications.

Organizations should immediately upgrade parse-server to version 9.5.2-alpha.7 or 8.6.20 or later, where this vulnerability is fixed. Until upgrading, restrict network access to parse-server APIs to trusted clients only, ideally behind VPNs or firewalls. Implement strict monitoring and logging of API access to detect unusual activities related to role membership or Relation field modifications. Review and rotate application keys and master keys to limit exposure. Consider implementing additional application-layer access controls or API gateways that enforce stricter authentication and authorization checks beyond the default parse-server mechanisms. Conduct thorough audits of role memberships and permissions to identify any unauthorized changes. Finally, educate development and operations teams about the risks of exposing internal tables and the importance of timely patching.