GHSA-79wj-8rqv-jvp5
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
Details
### Impact
The `readOnlyMasterKey` can call `POST /loginAs` to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses `readOnlyMasterKey` is affected.
### Patches
The fix adds a check to the `/logInAs` handler.
### Workarounds
There is no workaround other than not using `readOnlyMasterKey`.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-79wj-8rqv-jvp5 - Fix for Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.4 - Fix for Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.6
Are you affected?
Enter the version of the package you're using.
Affected packages
9.0.0 Fixed in: 9.5.0-alpha.4 npm install parse-server@9.5.0-alpha.4 References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-79wj-8rqv-jvp5 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-30229 [ADVISORY]
- https://github.com/parse-community/parse-server [PACKAGE]
- https://github.com/parse-community/parse-server/releases/tag/8.6.6 [WEB]
- https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.4 [WEB]