CVE-2026-33539: Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
(updated )
An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.
Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.
References
- github.com/advisories/GHSA-p2w6-rmh7-w8q3
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c
- github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e
- github.com/parse-community/parse-server/pull/10272
- github.com/parse-community/parse-server/pull/10273
- github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3
- nvd.nist.gov/vuln/detail/CVE-2026-33539
Code Behaviors & Features
Detect and mitigate CVE-2026-33539 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →