What is the severity of CVE-2026-29182?

CVE-2026-29182 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-29182?

No known public exploits are currently available for CVE-2026-29182.

Is there a patch available for CVE-2026-29182?

Yes, patches are available for CVE-2026-29182. Check the vendor advisories for update instructions.

CVE-2026-29182 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-29182?

### Impact Parse Server's `readOnlyMasterKey` option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the `readOnlyMasterKey` for mutating operations. This allows a caller who only holds the `readOnlyMasterKey` to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the `readOnlyMasterKey` option is affected. Note than an attacker needs to know the `readOnlyMasterKey` to exploit this vulnerability. ### Patches The fix adds authorization checks, rejecting mutating requests made with the `readOnlyMasterKey`. ### Workarounds There is no known workaround other than upgrading. If upgrading is not immediately possible, ensure the `readOnlyMasterKey` value is not shared with untrusted parties. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh - Fixed in Parse Server 9.4.1-alpha.3: https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3 - Fixed in Parse Server 8.6.4: https://github.com/parse-community/parse-server/releases/tag/8.6.4

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration.

Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability.

Patches

The fix adds authorization checks, rejecting mutating requests made with the readOnlyMasterKey.

Workarounds

There is no known workaround other than upgrading. If upgrading is not immediately possible, ensure the readOnlyMasterKey value is not shared with untrusted parties.

Resources

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh
Fixed in Parse Server 9.4.1-alpha.3: https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3
Fixed in Parse Server 8.6.4: https://github.com/parse-community/parse-server/releases/tag/8.6.4

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com