CVE-2026-30938: Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique.
All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default.
References
- github.com/advisories/GHSA-q342-9w2p-57fp
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.12
- github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1
- github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp
- nvd.nist.gov/vuln/detail/CVE-2026-30938
Code Behaviors & Features
Detect and mitigate CVE-2026-30938 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →