GHSA-p2w6-rmh7-w8q3
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
Details
### Impact
An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate `$group` pipeline stage or the `distinct` operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.
Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.
### Patches
Field names in the aggregate `$group._id` object values and `distinct` dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the `:raw` interpolation used in the PostgreSQL storage adapter.
### Workarounds
No workaround. Upgrade to a patched version.
Are you affected?
Enter the version of the package you're using.
Affected packages
9.0.0 Fixed in: 9.6.0-alpha.53 npm install parse-server@9.6.0-alpha.53 References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-33539 [ADVISORY]
- https://github.com/parse-community/parse-server/pull/10272 [WEB]
- https://github.com/parse-community/parse-server/pull/10273 [WEB]
- https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c [WEB]
- https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e [WEB]
- https://github.com/parse-community/parse-server [PACKAGE]