Skip to content

[Vulnerability] parse-community/parse-server: Authorization Bypass / Privilege Escalation #98

Description

@github-actions

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: 22faa08
Author: Manuel
Date: 2026-03-08T16:26:41Z

Commit Message

fix: Parse Server role escalation and CLP bypass via direct `_Join table write ([GHSA-5f92-jrq3-28rc](https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc)) (#10141)

Pull Request

PR: #10141 - fix: Parse Server role escalation and CLP bypass via direct _Join table write (GHSA-5f92-jrq3-28rc)
Labels: state:released-alpha

Description:

Pull Request

Issue

Parse Server role escalation and CLP bypass via direct `_Join table write ([GHSA-5f92-jrq3-28rc](GHSA-5f92-jrq3-28rc))

Tasks

<!-- Check completed tasks and delete tasks t...

Analysis

Vulnerability Type: Authorization Bypass / Privilege Escalation
Severity: High

Description

Before the patch, clients without proper privileges could directly write to the internal _Join tables, which manage user-role relations. This allowed unauthorized users to escalate their roles by inserting entries into _Join:users:_Role, effectively bypassing Class Level Permissions (CLP) and gaining elevated access rights. The patch enforces that only master or maintenance keys can modify these internal tables, preventing unauthorized role escalations and CLP bypasses.

Affected Code

  // _Join tables are internal and must only be modified through relation operations
  // Missing enforcement for client writes to _Join tables, allowing direct creation or modification without proper auth

Proof of Concept

1. Sign up a new user (e.g., username 'attacker').
2. Obtain this user's session token.
3. Issue a direct REST API POST request to create a new object in `_Join:users:_Role` with `relatedId` set to the attacker's user ID and `owningId` set to the 'superadmin' role ID.

Example curl request:
curl -X POST https://your.parse.server/classes/_Join:users:_Role \
  -H "X-Parse-Application-Id: YOUR_APP_ID" \
  -H "X-Parse-Session-Token: ATTACKER_SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"relatedId":"ATTACKER_USER_ID","owningId":"SUPERADMIN_ROLE_ID"}'

Expected behavior before patch: The request succeeds, granting the attacker the 'superadmin' role.
Expected behavior after patch: The request is denied with 'Permission denied' error.

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T18:01:02.766Z

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions