Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 22faa08
Author: Manuel
Date: 2026-03-08T16:26:41Z
Commit Message
fix: Parse Server role escalation and CLP bypass via direct `_Join table write ([GHSA-5f92-jrq3-28rc](https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc)) (#10141)
Pull Request
PR: #10141 - fix: Parse Server role escalation and CLP bypass via direct _Join table write (GHSA-5f92-jrq3-28rc)
Labels: state:released-alpha
Description:
Pull Request
Issue
Parse Server role escalation and CLP bypass via direct `_Join table write ([GHSA-5f92-jrq3-28rc](GHSA-5f92-jrq3-28rc))
Tasks
<!-- Check completed tasks and delete tasks t...
Analysis
Vulnerability Type: Authorization Bypass / Privilege Escalation
Severity: High
Description
Before the patch, clients without proper privileges could directly write to the internal _Join tables, which manage user-role relations. This allowed unauthorized users to escalate their roles by inserting entries into _Join:users:_Role, effectively bypassing Class Level Permissions (CLP) and gaining elevated access rights. The patch enforces that only master or maintenance keys can modify these internal tables, preventing unauthorized role escalations and CLP bypasses.
Affected Code
// _Join tables are internal and must only be modified through relation operations
// Missing enforcement for client writes to _Join tables, allowing direct creation or modification without proper auth
Proof of Concept
1. Sign up a new user (e.g., username 'attacker').
2. Obtain this user's session token.
3. Issue a direct REST API POST request to create a new object in `_Join:users:_Role` with `relatedId` set to the attacker's user ID and `owningId` set to the 'superadmin' role ID.
Example curl request:
curl -X POST https://your.parse.server/classes/_Join:users:_Role \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "X-Parse-Session-Token: ATTACKER_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{"relatedId":"ATTACKER_USER_ID","owningId":"SUPERADMIN_ROLE_ID"}'
Expected behavior before patch: The request succeeds, granting the attacker the 'superadmin' role.
Expected behavior after patch: The request is denied with 'Permission denied' error.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T18:01:02.766Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 22faa08
Author: Manuel
Date: 2026-03-08T16:26:41Z
Commit Message
Pull Request
PR: #10141 - fix: Parse Server role escalation and CLP bypass via direct
_Jointable write (GHSA-5f92-jrq3-28rc)Labels: state:released-alpha
Description:
Pull Request
Issue
Parse Server role escalation and CLP bypass via direct `_Join table write ([GHSA-5f92-jrq3-28rc](GHSA-5f92-jrq3-28rc))
Tasks
<!-- Check completed tasks and delete tasks t...
Analysis
Vulnerability Type: Authorization Bypass / Privilege Escalation
Severity: High
Description
Before the patch, clients without proper privileges could directly write to the internal
_Jointables, which manage user-role relations. This allowed unauthorized users to escalate their roles by inserting entries into_Join:users:_Role, effectively bypassing Class Level Permissions (CLP) and gaining elevated access rights. The patch enforces that only master or maintenance keys can modify these internal tables, preventing unauthorized role escalations and CLP bypasses.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T18:01:02.766Z