CVE-2026-31871 CRITICAL

CVE-2026-31871: Parse Server has a SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Vendor Parse-Community
Product parse-server
Weakness CWE-89 · SQLi
Published March 11, 2026
Last update March 12, 2026
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
March 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-11204 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.2 - Authenticated (Administrator+) SQL Injection CVE-2024-6003 Guangdong Baolun Electronics IP Network Broadcasting Service Platform maps sql injection CVE-2026-32127 SQL Injection Vulnerability in ajax graphs library (OpenEMR) CVE-2024-36412 SuiteCRM unauthenticated SQL Injection CVE-2025-14353 ZIP Code Based Content Protection <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' Parameter