CVE-2026-30850

Description

### Impact The file metadata endpoint (GET `/files/:appId/metadata/:filename`) does not enforce `beforeFind` / `afterFind` file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any deployment that relies on `Parse.Cloud.beforeFind(Parse.File, ...)` to restrict file access. Only file metadata (user-defined key-value pairs set via addMetadata) is exposed; file content remains protected. ### Patches The metadata handler now runs `beforeFind` and `afterFind` triggers and returns HTTP 403 when a trigger denies access. ### Workarounds Disable the `metadata` endpoint by overriding the route with a middleware that rejects all requests: ```js // Add before mounting Parse Server app.get('/parse/files/:appId/metadata/:filename', (req, res) => { res.status(403).json({ error: 'Forbidden' }); }); ``` Adjust the path prefix (`/parse`) to match your mountPath. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.9

Affected packages (2)

• Bitnami/parsefrom 0, < 9.5.0
• npm/parse-serverfrom 0, < 8.6.9

CVSS scores

References (3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30850
• PATCHhttps://github.com/parse-community/parse-server
• WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc