CVE-2026-29182 HIGH

CVE-2026-29182: Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Vendor Parse-Community
Product parse-server
Weakness CWE-863 · Incorrect authorization
Published March 6, 2026
Last update March 9, 2026
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-41174 Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding CVE-2026-44561 Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels CVE-2021-24405 Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting CVE-2024-39322 aimeos/ai-admin-jsonadm improper access control vulnerability allows editors to remove required records CVE-2021-41230 OIDC claims not updated from Identity Provider in Pomerium