CVE-2026-30850 MEDIUM

CVE-2026-30850: Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Vendor Parse-Community
Product parse-server
Weakness CWE-862 · Missing authorization
Published March 7, 2026
Last update March 9, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
March 9, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-13449 Boom Fest <= 2.2.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update CVE-2024-1079 Quiz Maker <= 6.5.2.4 - Missing Authorization to Unauthenticated Quiz Data Retrieval CVE-2025-68043 WordPress LottieFiles plugin <= 3.0.0 - Broken Access Control vulnerability CVE-2025-68896 WordPress WDV One Page Docs plugin <= 1.2.4 - Broken Access Control vulnerability CVE-2024-24822 Pimcore Admin Classic Bundle permissions are not getting checked when working with tags