Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 081fb2b4a902 · 2026-03-11T00:18:29.000Z
GHSA-48mh-j4p5-7j9v GHSA-7ch5-98q2-7289 GHSA-8rgj-vrfr-6hqr GHSA-cmj3-wx7h-ffvg GHSA-hcj7-6gxh-24ww GHSA-vgjh-hmwf-c588
diff --git a/advisories/github-reviewed/2026/03/GHSA-48mh-j4p5-7j9v/GHSA-48mh-j4p5-7j9v.json b/advisories/github-reviewed/2026/03/GHSA-48mh-j4p5-7j9v/GHSA-48mh-j4p5-7j9v.json
@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-48mh-j4p5-7j9v",
+  "modified": "2026-03-11T00:17:53Z",
+  "published": "2026-03-11T00:17:53Z",
+  "aliases": [
+    "CVE-2026-30949"
+  ],
+  "summary": "Parse Server missing audience validation in Keycloak authentication adapter",
+  "details": "### Impact\n\nThe Keycloak authentication adapter does not validate the `azp` (authorized party) claim of Keycloak access tokens against the configured `client-id`. A valid access token issued by the same Keycloak realm for a *different* client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms.\n\nAll Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected.\n\n### Patches\n\nThe fix replaces the userinfo HTTP call with local JWT verification and enforces `azp` claim validation against the configured `client-id`.\n\n### Workarounds\n\nNone.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.18",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.5.2-alpha.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.18"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30949"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.18"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:17:53Z",
+    "nvd_published_at": "2026-03-10T21:16:47Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-7ch5-98q2-7289/GHSA-7ch5-98q2-7289.json b/advisories/github-reviewed/2026/03/GHSA-7ch5-98q2-7289/GHSA-7ch5-98q2-7289.json
@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7ch5-98q2-7289",
+  "modified": "2026-03-11T00:17:16Z",
+  "published": "2026-03-11T00:17:16Z",
+  "aliases": [
+    "CVE-2026-30947"
+  ],
+  "summary": "Parse Server has a bypass of class-level permissions in LiveQuery",
+  "details": "### Impact\n\nClass-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions.\n\nAll Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time.\n\n### Patches\n\nThe fix enforces CLP before creating the subscription and during event delivery.\n\n### Workarounds\n\nDisable LiveQuery for classes that use CLP restrictions by removing them from the `liveQuery.classNames` server configuration.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.16",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.5.2-alpha.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.16"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30947"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.16"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:17:16Z",
+    "nvd_published_at": "2026-03-10T21:16:47Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-8rgj-vrfr-6hqr/GHSA-8rgj-vrfr-6hqr.json b/advisories/github-reviewed/2026/03/GHSA-8rgj-vrfr-6hqr/GHSA-8rgj-vrfr-6hqr.json
@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8rgj-vrfr-6hqr",
+  "modified": "2026-03-11T00:16:41Z",
+  "published": "2026-03-11T00:16:41Z",
+  "aliases": [
+    "CVE-2026-30945"
+  ],
+  "summary": "StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service",
+  "details": "## Summary\nThe DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations.\n\n## Details\n#### Vulnerable Code\nThe following is the server-side handler for the `DELETE /studiocms_api/dashboard/api-tokens` endpoint (`revokeApiToken`):\n\n**File:** packages/studiocms/frontend/pages/studiocms_api/dashboard/api-tokens.ts (lines 58–99)\n**Version:** studiocms@0.3.0\n```\nDELETE: (ctx) =>\n    genLogger('studiocms/routes/api/dashboard/api-tokens.DELETE')(function* () {\n        const sdk = yield* SDKCore;\n\n        // Check if demo mode is enabled\n        if (developerConfig.demoMode !== false) {\n            return apiResponseLogger(403, 'Demo mode is enabled, this action is not allowed.');\n        }\n\n        // Get user data\n        const userData = ctx.locals.StudioCMS.security?.userSessionData;       // [1]\n\n        // Check if user is logged in\n        if (!userData?.isLoggedIn) {                                            // [2]\n            return apiResponseLogger(403, 'Unauthorized');\n        }\n\n        // Check if user has permission\n        const isAuthorized = ctx.locals.StudioCMS.security?.userPermissionLevel.isEditor;  // [3]\n        if (!isAuthorized) {\n            return apiResponseLogger(403, 'Unauthorized');\n        }\n\n        // Get Json Data\n        const jsonData = yield* readAPIContextJson<{\n            tokenID: string;                                                    // [4]\n            userID: string;                                                     // [5]\n        }>(ctx);\n\n        // Validate form data\n        if (!jsonData.tokenID) {\n            return apiResponseLogger(400, 'Invalid form data, tokenID is required');\n        }\n\n        if (!jsonData.userID) {\n            return apiResponseLogger(400, 'Invalid form data, userID is required');\n        }\n\n        // [6] Both user-controlled values passed directly — no ownership or identity checks\n        yield* sdk.REST_API.tokens.delete({ tokenId: jsonData.tokenID, userId: jsonData.userID });\n\n        return apiResponseLogger(200, 'Token deleted');                         // [7]\n    }),\n```\n**Analysis**\nThe handler shares the same class of authorization flaws found in the token generation endpoint, applied to a destructive operation:\n1. **Insufficient permission gate [1][2][3]:** The handler retrieves the session from ctx.locals.StudioCMS.security and only checks isEditor. Token revocation is a high-privilege operation that should require ownership of the token or elevated administrative privileges — not a generic editor-level gate.\n2. **No token ownership validation [4][6]:** The handler does not verify that jsonData.tokenID actually belongs to the jsonData.userID supplied in the payload. An attacker could enumerate or guess token IDs and revoke them regardless of ownership.\n3. **Missing caller identity check [5][6]:** The jsonData.userID from the payload is never compared against userData (the authenticated caller from [1]). Any editor can specify an arbitrary target user UUID and revoke their tokens.\n4. **No role hierarchy enforcement [6]:** There is no check preventing a lower-privileged user (editor) from revoking tokens belonging to higher-privileged accounts (admin, owner).\n5. **Direct pass-through to destructive operation [6][7]:** Both user-controlled parameters are passed directly to sdk.REST_API.tokens.delete() without any server-side validation, and the server responds with a generic success message, making this a textbook IDOR.\n\n## PoC\n**Environment**\n*User ID | Role*\n2450bf33-0135-4142-80be-9854f9a5e9f1 | owner\n39b3e7d3-5eb0-48e1-abdc-ce95a57b212c | editor\n\n**Attack — Editor Revokes Owner's API Token**\nAn authenticated editor sends the following request to revoke a token belonging to the owner:\n```\nDELETE /studiocms_api/dashboard/api-tokens HTTP/1.1\nHost: 127.0.0.1:4321\nCookie: auth_session=<editor_session_cookie>\nContent-Type: application/json\nAccept: application/json\nContent-Length: 98\n\n{\n  \"tokenID\": \"16a2e549-513b-40ac-8ca3-858af6118afc\",\n  \"userID\": \"2450bf33-0135-4142-80be-9854f9a5e9f1\"\n}\n```\n\n**Response (HTTP 200):**\n```\n{\"message\":\"Token deleted\"}\n```\nThe server confirmed deletion of the owner's token. The tokenID here refers to the internal token record identifier (UUID), not the JWT value itself. The editor's session cookie was sufficient to authorize this destructive action against a higher-privileged user.\n\n## Impact\n- **Denial of Service on integrations:** API tokens used in CI/CD pipelines, third-party integrations, or monitoring systems can be silently revoked, causing automated workflows to fail without warning.\n- **No audit trail:** The revocation is processed as a legitimate operation — the only evidence is the editor's own session, making attribution difficult without detailed request logging.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "studiocms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.4.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.3.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8rgj-vrfr-6hqr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30945"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/withstudiocms/studiocms/commit/9eec9c3b45523b635cfe16d55aa55afabacbebe3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/withstudiocms/studiocms"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:16:41Z",
+    "nvd_published_at": "2026-03-10T18:18:54Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-cmj3-wx7h-ffvg/GHSA-cmj3-wx7h-ffvg.json b/advisories/github-reviewed/2026/03/GHSA-cmj3-wx7h-ffvg/GHSA-cmj3-wx7h-ffvg.json
@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cmj3-wx7h-ffvg",
+  "modified": "2026-03-11T00:16:48Z",
+  "published": "2026-03-11T00:16:48Z",
+  "aliases": [
+    "CVE-2026-30946"
+  ],
+  "summary": "Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API",
+  "details": "### Impact\n\nAn unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs.\n\nAll Parse Server deployments using the REST or GraphQL API are affected.\n\n### Patches\n\nThe vulnerability is fixed by introducing configurable request complexity limits via the `requestComplexity` server option with the following keys:\n\n- `subqueryDepth`: Maximum nesting depth for `$inQuery`, `$notInQuery`, `$select`, `$dontSelect`\n- `includeDepth`: Maximum depth of dot-separated `include` paths\n- `includeCount`: Maximum number of `include` fields per query\n- `graphQLDepth`: Maximum depth of GraphQL field selections\n- `graphQLFields`: Maximum number of field selections in a GraphQL query\n\nIf the server options are not set their default values apply to fix the vulnerability. Requests using master key or maintenance key bypass these limits. Set any property to `-1` to disable that specific limit.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.15",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.15"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.5.2-alpha.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30946"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.15"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:16:48Z",
+    "nvd_published_at": "2026-03-10T21:16:47Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-hcj7-6gxh-24ww/GHSA-hcj7-6gxh-24ww.json b/advisories/github-reviewed/2026/03/GHSA-hcj7-6gxh-24ww/GHSA-hcj7-6gxh-24ww.json
diff --git a/advisories/github-reviewed/2026/03/GHSA-vgjh-hmwf-c588/GHSA-vgjh-hmwf-c588.json b/advisories/github-reviewed/2026/03/GHSA-vgjh-hmwf-c588/GHSA-vgjh-hmwf-c588.json
