CVE-2026-30228: parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction

March 6, 2026

The readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey.

Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files.

References

github.com/advisories/GHSA-xfh7-phr7-gr2x
github.com/parse-community/parse-server
github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phr7-gr2x
nvd.nist.gov/vuln/detail/CVE-2026-30228

Code Behaviors & Features

Detect and mitigate CVE-2026-30228 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →