Platform
nodejs
Component
parse-server
Fixed in
9.0.1
8.6.29
8.6.29
9.6.1
9.6.0-alpha.2
CVE-2026-31840 describes a critical SQL Injection vulnerability discovered in Parse Server. An attacker can exploit this flaw to inject malicious SQL code into the PostgreSQL database through improper escaping of sub-field values within dot-notation queries. This vulnerability impacts Parse Server versions prior to 9.6.0-alpha.2 and requires immediate attention to prevent potential data compromise.
The SQL Injection vulnerability in Parse Server allows an attacker to manipulate database queries by injecting arbitrary SQL code. By crafting malicious requests using dot-notation field names in conjunction with the sort query parameter, an attacker can bypass security measures and directly interact with the underlying PostgreSQL database. This could lead to unauthorized access, modification, or deletion of sensitive data stored within the database, including user credentials, application data, and configuration information. The impact is particularly severe as successful exploitation could compromise the entire Parse Server application and its associated data.
CVE-2026-31840 was publicly disclosed on 2026-03-10. There is no indication of this vulnerability being actively exploited at the time of writing. The vulnerability's severity is high due to the potential for significant data compromise. No KEV listing or public proof-of-concept exploits are currently available.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
The primary mitigation for CVE-2026-31840 is to immediately upgrade Parse Server to version 9.6.0-alpha.2 or later, which includes a fix that properly escapes characters in dot-notation sub-field values. As there is no known workaround, relying on other security measures like Web Application Firewalls (WAFs) is unlikely to be effective. Consider implementing stricter input validation and sanitization practices in your application code to further reduce the attack surface. After upgrading, verify the fix by attempting to execute a SQL injection payload using a dot-notation field name in a sort query and confirming that the query fails or returns an error.
Update Parse Server to version 9.6.0-alpha.2 or higher, or to version 8.6.28 or higher. This corrects the SQL injection vulnerability in the PostgreSQL database by properly escaping sub-field values in dot-notation queries.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31840 is a critical SQL Injection vulnerability affecting Parse Server versions prior to 9.6.0-alpha.2. It allows attackers to inject malicious SQL code via dot-notation field names in sort queries, potentially compromising the PostgreSQL database.
You are affected if you are using Parse Server versions prior to 9.6.0-alpha.2 and have a PostgreSQL database configured. Immediately assess your deployment and apply the necessary updates.
Upgrade Parse Server to version 9.6.0-alpha.2 or later. This version includes a fix that properly escapes characters in dot-notation sub-field values, preventing SQL injection.
There is currently no public information indicating that CVE-2026-31840 is being actively exploited, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the Parse Server GitHub repository for the official advisory and release notes: [https://github.com/parse/parse-server](https://github.com/parse/parse-server)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.