Parse Server is an open-source backend framework that supports deployment on any Node.js-capable infrastructure, commonly used to build mobile and web applications. The vulnerability identified as CVE-2026-31872 involves improper access control (CWE-284) in the handling of protectedFields class-level permissions (CLP). Specifically, prior to versions 9.6.0-alpha.6 and 8.6.32, parse-server fails to correctly enforce CLP restrictions when queries use dot-notation in WHERE clauses or sorting parameters. Dot-notation allows referencing sub-fields within a protected field, which the server erroneously permits, effectively bypassing intended access restrictions. This flaw enables an attacker to perform a binary oracle attack, systematically enumerating values of protected fields by crafting queries that reveal information through response behavior or sorting results. The vulnerability affects deployments using both MongoDB and PostgreSQL databases, as the issue lies in parse-server's query parsing and permission enforcement logic rather than the database itself. Exploitation requires no authentication or user interaction and can be performed remotely, increasing the risk profile. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high severity due to network attack vector, no required privileges or user interaction, and high impact on confidentiality. The flaw was publicly disclosed and fixed in the specified versions, with no known exploits in the wild at the time of publication.

The vulnerability allows unauthorized attackers to bypass class-level permissions and access sensitive sub-field data that should be protected. This can lead to significant confidentiality breaches, exposing sensitive user or application data stored in protected fields. The binary oracle attack method may allow attackers to enumerate or infer sensitive information even if direct data access is not possible, increasing the risk of data leakage. Since parse-server is widely used in mobile and web backend applications, exploitation could compromise user privacy, intellectual property, or business-critical information. The lack of authentication or user interaction requirements means attackers can exploit this remotely and anonymously, potentially leading to large-scale data exposure. Organizations relying on vulnerable parse-server versions face increased risk of data breaches, regulatory non-compliance, reputational damage, and potential financial losses. The vulnerability does not directly impact data integrity or availability but the confidentiality impact alone is substantial.

Organizations should immediately upgrade parse-server to version 9.6.0-alpha.6 or later, or 8.6.32 or later, where the vulnerability is patched. Until upgrades can be applied, administrators should audit and restrict network access to parse-server instances, limiting exposure to trusted networks or VPNs. Review and tighten class-level permissions and protectedFields configurations to minimize sensitive data exposure. Implement monitoring and alerting for unusual query patterns that may indicate exploitation attempts involving dot-notation queries or sorting. Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious query parameters using dot-notation. Conduct thorough security testing and code reviews on custom parse-server extensions or cloud functions that may interact with protected fields. Maintain an incident response plan to quickly address any suspected data leakage. Finally, keep parse-server and its dependencies regularly updated to incorporate security fixes.