logo

Database

SQL injection - Code In parse-server

Description

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Impact

An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.

Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.

Patches

Field names in the aggregate $group._id object values and distinct dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the :raw interpolation used in the PostgreSQL storage adapter.

Workarounds

No workaround. Upgrade to a patched version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-335392. NVD-2026-335393. OSV-2026-335394. GHSA-p2w6-rmh7-w8q35. GCVE-2026-33539

References

1. https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q32. https://github.com/parse-community/parse-server/pull/102723. https://github.com/parse-community/parse-server/pull/10273

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.