CVE-2026-30850
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.
| CWE | CWE-862 |
| Vendor | parse-community |
| Product | parse-server |
| Published | Mar 7, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for parse-community parse-server
Be the first to know when new unknown vulnerabilities affecting parse-community parse-server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
parse-community / parse-server
< 8.6.9 < 9.5.0-alpha.9