Platform
nodejs
Component
parse-server
Fixed in
9.0.1
8.6.30
8.6.30
9.6.1
9.6.0-alpha.3
CVE-2026-31856 describes a critical SQL injection vulnerability discovered in Parse Server. This flaw allows attackers to inject arbitrary SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions prior to 9.6.0-alpha.3, and a patch has been released to address the issue.
The SQL injection vulnerability resides within the PostgreSQL storage adapter when handling Increment operations on nested object fields using dot notation. The amount parameter is directly interpolated into the SQL query without proper sanitization or type validation. This means an attacker who can successfully send write requests to the Parse Server REST API can craft malicious SQL subqueries. These injected queries can bypass existing access controls (CLPs and ACLs), allowing the attacker to read any data stored within the database. MongoDB deployments are not affected by this specific vulnerability. The potential impact includes complete data exfiltration, modification of sensitive data, and potentially even database compromise.
CVE-2026-31856 was publicly disclosed on 2026-03-11. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's severity and potential impact suggest a high likelihood of exploitation if a PoC becomes available. It is not currently listed on the CISA KEV catalog. The ease of exploitation depends on the attacker's ability to send authenticated write requests to the Parse Server API, which may require prior compromise or credential theft.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
The primary mitigation for CVE-2026-31856 is to upgrade Parse Server to version 9.6.0-alpha.3 or later, which includes the necessary type validation and parameterization fixes. If an immediate upgrade is not feasible, consider implementing stricter input validation on the server-side to sanitize the amount parameter before it is used in SQL queries. While not a complete solution, this can reduce the attack surface. Additionally, review and strengthen existing access control policies (CLPs and ACLs) to limit the potential damage from successful SQL injection attempts. After upgrading, confirm the fix by attempting an Increment operation with a non-numeric value in the amount field; the server should reject the request with an appropriate error.
Update Parse Server to version 9.6.0-alpha.3 or higher, or to version 8.6.29 or higher. This corrects the SQL injection vulnerability in the `Increment` operation on nested object fields in PostgreSQL. The update prevents the execution of arbitrary SQL queries and unauthorized data access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31856 is a critical SQL injection vulnerability affecting Parse Server versions prior to 9.6.0-alpha.3. It allows attackers to inject malicious SQL queries via Increment operations, potentially leading to data breaches.
You are affected if you are running Parse Server versions prior to 9.6.0-alpha.3 and use PostgreSQL as your database. MongoDB deployments are not affected.
Upgrade Parse Server to version 9.6.0-alpha.3 or later. As a temporary workaround, implement stricter input validation on the server-side for the amount parameter.
While no active exploitation has been confirmed, the vulnerability's severity and potential impact suggest a high likelihood of exploitation if a public proof-of-concept is released.
Refer to the official Parse Server security advisory for detailed information and updates: [https://github.com/parse/parse-server/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/parse/parse-server/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.