Parse Server is an open-source backend framework that runs on Node.js and is widely used for mobile and web application backends. CVE-2026-32878 is a prototype pollution vulnerability affecting parse-server versions >= 9.0.0 and < 9.6.0-alpha.20, as well as versions below 8.6.44. The root cause is an insecure deep copy mechanism implemented via a third-party library that fails to properly handle prototype properties during object cloning. Attackers can craft malicious requests that bypass the default denylist of reserved keywords and class-level permissions designed to prevent unauthorized field additions. By exploiting this flaw, attackers inject fields directly into class schemas, even when field addition is locked down. This leads to permanent schema type conflicts that cannot be corrected, even with master key privileges, potentially corrupting the backend data model. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity and no privileges needed. The fix involved replacing the vulnerable deep copy library with a built-in deep clone function that safely handles prototype properties and allows the denylist checks to function correctly. No workarounds are currently available, making patching essential. There are no known exploits in the wild at this time.

The vulnerability allows attackers to bypass critical security controls in parse-server, such as denylist protections and class-level permissions, enabling unauthorized schema modifications. This can lead to permanent corruption of the backend data schema, causing data integrity issues and potentially breaking application functionality. Since schema conflicts cannot be resolved even with master key access, recovery may require significant manual intervention or data restoration from backups. Organizations relying on parse-server for backend services risk data corruption, service disruption, and loss of trust from users. The exploitability over the network without authentication increases the risk of widespread attacks, especially in environments exposing parse-server endpoints publicly. Although no known exploits exist yet, the medium severity rating reflects the potential for impactful misuse if weaponized. The vulnerability could also be leveraged as a stepping stone for further attacks by manipulating backend data structures.

The primary mitigation is to upgrade parse-server to version 9.6.0-alpha.20 or later, or 8.6.44 or later, where the vulnerable deep copy library has been replaced with a secure built-in deep clone mechanism. Since no workarounds exist, patching is critical. Organizations should audit their parse-server deployments to identify affected versions and prioritize updates. Additionally, restrict network access to parse-server endpoints to trusted networks and implement strong API authentication and authorization controls to reduce exposure. Monitoring logs for unusual schema modification attempts or unexpected field additions can help detect exploitation attempts. Regular backups of schema and data are essential to enable recovery from potential corruption. Developers should review custom code interacting with parse-server schemas to ensure it does not inadvertently introduce similar prototype pollution risks. Finally, stay informed on updates from the parse-community project for any further security advisories.