{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30850", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.341Z", "datePublished": "2026-03-07T16:21:53.897Z", "dateUpdated": "2026-03-09T18:25:10.263Z"}, "containers": {"cna": {"title": "Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.9", "status": "affected"}, {"version": "< 9.5.0-alpha.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:21:53.897Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9."}], "source": {"advisory": "GHSA-hwx8-q9cg-mqmc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:38:46.352410Z", "id": "CVE-2026-30850", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:25:10.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30850", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:38:46.352410Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:38:47.949Z"}}], "cna": {"title": "Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization", "source": {"advisory": "GHSA-hwx8-q9cg-mqmc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.9"}, {"status": "affected", "version": "< 9.5.0-alpha.9"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:21:53.897Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30850", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:25:10.263Z", "dateReserved": "2026-03-05T21:27:35.341Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:21:53.897Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FBF2D6E7-5E50-4066-A1DB-8184C9DF1D11", "versionEndExcluding": "8.6.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77A07A2F-C8ED-4D78-A9C0-66AB42F69F38", "versionEndExcluding": "9.5.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:-:*:*:*:node.js:*:*", "matchCriteriaId": "6BBF106F-1BEF-457B-A81D-50F6F503A292", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3E9F95CF-EEE1-42FC-904E-321F05E3DE4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "5C02D6F0-5A3A-45F5-8A74-F75A8CCAE7DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "103C9745-031B-4822-A19C-A61375FBB1AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "8D67029D-C1BD-4D46-A84F-C52B4D364268", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "3B10930D-B416-4D9A-BA26-F0AD22BFAE28", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "72794836-5CFB-4928-BB22-D7DE813809B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "FA2C4C1E-3AE6-48E0-8B59-80554AE85BB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "40C8E499-E5C6-48DD-AE36-B73B2B6ADA67", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.9 y 9.5.0-alpha.9, el endpoint de metadatos de archivos (GET /files/:appId/metadata/:filename) no aplica los triggers de archivo beforeFind / afterFind. Cuando estos triggers se utilizan como puertas de control de acceso, el endpoint de metadatos los omite por completo, permitiendo el acceso no autorizado a los metadatos de los archivos. Este problema ha sido parcheado en las versiones 8.6.9 y 9.5.0-alpha.9."}], "id": "CVE-2026-30850", "lastModified": "2026-03-10T16:55:09.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T17:15:52.367", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.5.0-alpha.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-16T10:48:20.041132+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.9 or newer, or to version 9.5.0-alpha.9 or newer, where the metadata endpoint enforces the beforeFind and afterFind authorization logic.", "If an upgrade cannot be performed immediately, restrict external access to the metadata endpoint (e.g., via firewall rules or API gateway configurations) to only trusted internal IP ranges or authenticated sources.", "Verify that the beforeFind and afterFind triggers remain correctly configured as access-control gates after any change, and run penetration tests to confirm that file metadata is no longer publicly accessible."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to file metadata via endpoint bypass"}, "threat_synthesis": {"affected_systems": "Parse Server versions earlier than 8.6.9 and 9.5.0-alpha.9 are impacted, regardless of the underlying operating system or infrastructure, provided Node.js is available. The vulnerability is tied to the open-source backend code maintained by the parse-community project.", "description_and_impact": "The flaw resides in the file metadata endpoint of Parse Server, where the beforeFind and afterFind triggers are not enforced for GET /files/:appId/metadata/:filename requests. This bypass allows an unauthenticated user to retrieve metadata for any file regardless of the access-control logic encoded in the triggers, exposing potentially sensitive information such as filenames, sizes, or storage location. The weakness is characterized as an unauthorized access flaw (CWE-862).", "risk_and_exploitability": "The CVSS v3 score of 6.3 indicates a medium severity, while the EPSS score of less than 1% reflects a very low likelihood of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog, which further reduces immediate threat. An attacker must know the target appId and filename to trigger the endpoint, but no additional authentication is required, so the attack vector is effectively remote and directly exploitable by issuing a crafted HTTP GET request. The lack of trigger enforcement can lead to exposure of file metadata but does not directly grant file content access."}}}}, "created": "2026-03-09T10:04:58.749875+00:00", "updated": "2026-04-16T11:00:10.636406+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}