What is the CVSS score of CVE-2026-30229?

CVE-2026-30229 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2026-30229?

A critical authentication bypass vulnerability in Parse Server allows attackers with read-only master key access to impersonate any user and obtain valid session tokens, potentially compromising user…. A patch is available.

Node.js CVE-2026-30229

HIGH

Incorrect Authorization (CWE-863)

2026-03-06 security-advisories@github.com

GHSA-79wj-8rqv-jvp5

Node.js Parse Server

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 06, 2026 - 21:16 nvd

HIGH 7.2

DescriptionNVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4.

AnalysisAI

Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. …

RemediationAI

Within 24 hours: Inventory all Parse Server deployments and document current versions; restrict network access to /loginAs endpoint and review master key access logs for suspicious activity. Within 7 days: Implement compensating controls (WAF rules blocking POST /loginAs, network segmentation limiting master key exposure); engage Parse Server community for patch timeline and evaluate migration options. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-30229 vulnerability details – vuln.today

Back

Node.js CVE-2026-30229

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code