Parse Server is an open-source backend framework that supports deployment on any Node.js-capable infrastructure. In versions prior to 9.6.0-alpha.10 and 8.6.36, when configured to use PostgreSQL as the database backend, parse-server improperly handles field names in $regex query operators. Specifically, the field name is interpolated directly into SQL queries without parameterization, leading to an SQL injection vulnerability (CWE-89). An attacker who has obtained the master key—which grants elevated privileges within parse-server—can craft malicious field names that manipulate the underlying SQL query executed by PostgreSQL. This bypasses the typical parse-server abstraction layer, allowing direct database-level injection attacks. The vulnerability is limited to parse-server deployments using PostgreSQL and does not affect other database backends. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low complexity, no user interaction, but requiring high privileges (master key). No known exploits are currently reported in the wild. The vulnerability was published on March 11, 2026, and fixed in the specified versions.

If exploited, this vulnerability allows an attacker with master key access to execute arbitrary SQL commands on the PostgreSQL database backend. This can lead to unauthorized data disclosure, data modification, or deletion, compromising confidentiality, integrity, and availability of the backend data. Since the attack bypasses parse-server's abstraction, it may circumvent application-level access controls and logging. Organizations relying on parse-server with PostgreSQL risk significant data breaches or service disruptions if the master key is compromised and the vulnerable versions are in use. However, exploitation requires possession of the master key, which limits the attack surface to insiders or attackers who have already breached initial defenses. The medium severity rating reflects this balance of impact and required privileges.

Organizations should immediately upgrade parse-server to version 9.6.0-alpha.10 or later, or 8.6.36 or later, depending on their version branch. As a best practice, restrict access to the master key to the minimum necessary personnel and systems, and rotate the master key if compromise is suspected. Implement strict monitoring and alerting on master key usage and database query anomalies. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect unusual query patterns targeting $regex operators. Conduct regular security audits of parse-server configurations and PostgreSQL query logs to detect potential exploitation attempts. Additionally, evaluate the necessity of using PostgreSQL as the backend if risk tolerance is low, or consider additional database-level security controls such as role-based access controls and query parameterization enforcement.