GHSA-vc89-5g3r-cmhh
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
Details
### Impact
Parse Server's `readOnlyMasterKey` option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the `readOnlyMasterKey` for mutating operations. This allows a caller who only holds the `readOnlyMasterKey` to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration.
Any Parse Server deployment that uses the `readOnlyMasterKey` option is affected. Note than an attacker needs to know the `readOnlyMasterKey` to exploit this vulnerability.
### Patches
The fix adds authorization checks, rejecting mutating requests made with the `readOnlyMasterKey`.
### Workarounds
There is no known workaround other than upgrading. If upgrading is not immediately possible, ensure the `readOnlyMasterKey` value is not shared with untrusted parties.
### Resources
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh - Fixed in Parse Server 9.4.1-alpha.3: https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3 - Fixed in Parse Server 8.6.4: https://github.com/parse-community/parse-server/releases/tag/8.6.4
Are you affected?
Enter the version of the package you're using.
Affected packages
9.0.0 Fixed in: 9.4.1-alpha.3 npm install parse-server@9.4.1-alpha.3 References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-29182 [ADVISORY]
- https://github.com/parse-community/parse-server [PACKAGE]
- https://github.com/parse-community/parse-server/releases/tag/8.6.4 [WEB]
- https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3 [WEB]