What is the CVSS score of CVE-2026-29182?

CVE-2026-29182 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-29182?

Parse Server deployments using the readOnlyMasterKey feature are vulnerable to unauthorized data modification despite the key being documented to prevent write operations.. A patch is available.

Node.js CVE-2026-29182

HIGH

Incorrect Authorization (CWE-863)

2026-03-06 security-advisories@github.com

GHSA-vc89-5g3r-cmhh

Node.js Parse Server

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

Patch released

Mar 10, 2026 - 19:53 nvd

Patch available

CVE Published

Mar 06, 2026 - 21:16 nvd

HIGH 7.2

DescriptionNVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3.

AnalysisAI

Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.

RemediationAI

Within 24 hours: Identify all Parse Server instances using readOnlyMasterKey and assess exposure scope. Within 7 days: Apply vendor patches (versions 8.6.4 or 9.4.1-alpha.3 or later) to all affected systems, beginning with production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-29182 vulnerability details – vuln.today

Back

Node.js CVE-2026-29182

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code