CVE-2026-30850
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Description
### Impact The file metadata endpoint (GET `/files/:appId/metadata/:filename`) does not enforce `beforeFind` / `afterFind` file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any deployment that relies on `Parse.Cloud.beforeFind(Parse.File, ...)` to restrict file access. Only file metadata (user-defined key-value pairs set via addMetadata) is exposed; file content remains protected. ### Patches The metadata handler now runs `beforeFind` and `afterFind` triggers and returns HTTP 403 when a trigger denies access. ### Workarounds Disable the `metadata` endpoint by overriding the route with a middleware that rejects all requests: ```js // Add before mounting Parse Server app.get('/parse/files/:appId/metadata/:filename', (req, res) => { res.status(403).json({ error: 'Forbidden' }); }); ``` Adjust the path prefix (`/parse`) to match your mountPath. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.9
How to fix CVE-2026-30850
To remediate CVE-2026-30850, upgrade the affected package to a fixed version below.
- —upgrade to 9.5.0 or later
- —upgrade to 8.6.9 or later
Is CVE-2026-30850 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 9.5.0
- from 0, < 8.6.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |