CVE-2026-31872: Parse Server has a protected fields bypass via dot-notation in query and sort
The protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values.
This affects both MongoDB and PostgreSQL deployments.
References
- github.com/advisories/GHSA-r2m8-pxm9-9c4g
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.32
- github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6
- github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g
- nvd.nist.gov/vuln/detail/CVE-2026-31872
Code Behaviors & Features
Detect and mitigate CVE-2026-31872 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →