Platform
nodejs
Component
parse-server
Fixed in
9.0.1
8.6.32
8.6.32
9.6.1
9.6.0-alpha.5
CVE-2026-31871 describes a critical SQL Injection vulnerability discovered in Parse Server. This flaw allows attackers to inject arbitrary SQL code by manipulating nested object fields within Increment operations using dot notation. Affected versions are those prior to 9.6.0-alpha.5; upgrading to the patched version resolves the issue.
The SQL Injection vulnerability in Parse Server arises from the improper handling of sub-key names within PostgreSQL storage adapter’s Increment operations. Specifically, when updating nested object fields using dot notation (e.g., stats.counter), the sub-key name is directly interpolated into SQL string literals without proper escaping. This lack of sanitization enables an attacker who can send write requests to the Parse Server REST API to inject malicious SQL code. Successful exploitation could lead to unauthorized data access, modification, or deletion, potentially allowing attackers to bypass existing access controls (CLPs and ACLs) and gain full control over the database. The blast radius is significant, potentially impacting all data stored within the Parse Server instance.
CVE-2026-31871 was publicly disclosed on 2026-03-11. The vulnerability is specific to PostgreSQL deployments of Parse Server. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation suggests a potential for rapid development of such tools. The CVSS score of 9.5 (CRITICAL) indicates a high probability of exploitation if the vulnerability remains unpatched.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
The primary mitigation for CVE-2026-31871 is to immediately upgrade Parse Server to version 9.6.0-alpha.5 or later. If an immediate upgrade is not feasible, consider implementing stricter input validation on the server-side to sanitize sub-key names before they are incorporated into SQL queries. While not a complete solution, this can reduce the attack surface. Additionally, review and tighten access control policies (CLPs and ACLs) to limit the potential impact of a successful SQL injection attack. After upgrading, confirm the fix by attempting to trigger the vulnerable Increment operation with a crafted sub-key containing single quotes and verifying that the query fails with an error instead of executing arbitrary SQL.
Actualice Parse Server a la versión 9.6.0-alpha.5 o superior, o a la versión 8.6.31 o superior. Esto corrige la vulnerabilidad de inyección SQL en la operación Increment en PostgreSQL. Asegúrese de realizar pruebas exhaustivas después de la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31871 is a critical SQL Injection vulnerability affecting Parse Server versions before 9.6.0-alpha.5. It allows attackers to inject malicious SQL code via crafted nested object fields, potentially compromising the database.
You are affected if you are running Parse Server with PostgreSQL and are using a version prior to 9.6.0-alpha.5. Check your version and upgrade immediately if vulnerable.
Upgrade Parse Server to version 9.6.0-alpha.5 or later. As a temporary workaround, implement stricter input validation on the server-side to sanitize sub-key names.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests a potential for rapid development of PoCs and subsequent attacks.
Refer to the official Parse Server documentation and security advisories for the most up-to-date information and guidance regarding CVE-2026-31871.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.