CVE-2026-30938
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Description
### Impact The `requestKeywordDenylist` security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom `requestKeywordDenylist` entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The `requestKeywordDenylist` is enabled by default. ### Patches The fix replaces the recursive object scanner with an iterative stack-based traversal that processes all nested values without prematurely exiting the scan loop. This also eliminates a potential stack overflow on deeply nested payloads. ### Workarounds Use a Cloud Code `beforeSave` trigger to validate incoming data for prohibited keywords across all classes. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.12
How to fix CVE-2026-30938
To remediate CVE-2026-30938, upgrade the affected package to a fixed version below.
- —upgrade to 8.6.12 or later
- —upgrade to 8.6.12 or later
Is CVE-2026-30938 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 8.6.12, >= 9.0.0, < 9.5.1
- from 0, < 8.6.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |