Parse Server is an open-source backend framework that supports deployment on any infrastructure running Node.js, commonly used with various databases including PostgreSQL. CVE-2026-32234 is a SQL injection vulnerability categorized under CWE-89, arising from improper neutralization of special elements in SQL commands. Specifically, when Parse Server is configured to use PostgreSQL, the field name in a $regex query operator is interpolated directly into SQL queries without parameterization. An attacker possessing the master key can craft malicious field names in query constraints that inject arbitrary SQL commands. This vulnerability bypasses the Parse Server abstraction layer, allowing direct manipulation of the underlying PostgreSQL database. The affected versions include all releases from 9.0.0 up to but not including 9.6.0-alpha.10, and all versions below 8.6.36. The vulnerability was publicly disclosed on March 11, 2026, with a CVSS 4.0 base score of 5.1, reflecting medium severity. No known exploits are currently reported in the wild. The issue is resolved in Parse Server versions 9.6.0-alpha.10 and 8.6.36 by properly sanitizing and parameterizing the field names used in SQL queries.

This vulnerability allows an attacker with master key access to execute arbitrary SQL commands on the PostgreSQL database underlying Parse Server. The impact includes potential unauthorized data access, data modification, or deletion, compromising confidentiality, integrity, and availability of the backend data. Since the attack bypasses the Parse Server abstraction, it can lead to severe consequences such as privilege escalation within the database, extraction of sensitive information, or disruption of service. Organizations relying on Parse Server with PostgreSQL for critical backend services are at risk of significant operational and reputational damage if exploited. However, exploitation requires possession of the master key, which is typically tightly controlled, limiting the attack surface to insiders or attackers who have already compromised administrative credentials.

Organizations should immediately upgrade Parse Server to versions 9.6.0-alpha.10 or later, or 8.6.36 or later, where this vulnerability is fixed. Additionally, strict access controls and monitoring should be enforced around the master key to prevent unauthorized access. Implementing robust key management practices, including rotation and limited distribution, reduces risk. Logging and alerting on unusual query patterns or database errors can help detect attempted exploitation. Where possible, segregate the database environment and restrict network access to trusted hosts. Conduct regular security audits of Parse Server configurations and dependencies. Finally, consider employing Web Application Firewalls (WAFs) with custom rules to detect anomalous query parameters targeting $regex operators.