What is the CVSS score of CVE-2026-31872?

CVE-2026-31872 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of PostgreSQL are affected by CVE-2026-31872?

Parse Server deployments are vulnerable to a HIGH severity authentication bypass that allows attackers to extract protected field values through query manipulation, potentially exposing sensitive…. A patch is available.

PostgreSQL CVE-2026-31872

HIGH

Improper Access Control (CWE-284)

2026-03-11 security-advisories@github.com

GHSA-r2m8-pxm9-9c4g

Authentication Bypass PostgreSQL Node.js Parse Server

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 11, 2026 - 18:16 nvd

HIGH 7.5

DescriptionNVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.

AnalysisAI

Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. …

RemediationAI

Within 24 hours: Inventory all Parse Server instances and versions in production; assess whether protected fields contain sensitive data (credentials, PII, financial info). Within 7 days: Implement network segmentation to restrict Parse Server access to trusted applications only; deploy WAF rules to block dot-notation patterns in query parameters (e.g., filter requests containing '.' in WHERE and sort clauses); disable public API access if not business-critical. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-31872 vulnerability details – vuln.today

Back

PostgreSQL CVE-2026-31872

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code