CVE-2026-33539: Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

March 24, 2026

An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.

Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.

References

github.com/advisories/GHSA-p2w6-rmh7-w8q3
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10272
github.com/parse-community/parse-server/pull/10273
github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3
nvd.nist.gov/vuln/detail/CVE-2026-33539

Code Behaviors & Features

Detect and mitigate CVE-2026-33539 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →