CVE-2026-30850
MEDIUM WAF: Low
CVSS 5.9
Published: 2026-03-07
CWE-862
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.
WAF Coverage Analysis
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| parseplatform | parse-server | up to 8.6.9 |
| parseplatform | parse-server | 9.0.0 - 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
References
- github.com (Vendor Advisory)