CVE-2026-33539
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
Description
### Impact An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate `$group` pipeline stage or the `distinct` operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. ### Patches Field names in the aggregate `$group._id` object values and `distinct` dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the `:raw` interpolation used in the PostgreSQL storage adapter. ### Workarounds No workaround. Upgrade to a patched version.
How to fix CVE-2026-33539
To remediate CVE-2026-33539, upgrade the affected package to a fixed version below.
- —upgrade to 8.6.59 or later
- —upgrade to 9.6.0-alpha.53 or later
Is CVE-2026-33539 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 8.6.59, >= 9.0.0, < 9.6.0
- >= 9.0.0, < 9.6.0-alpha.53
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |