CVE-2026-30850: Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

March 9, 2026

The file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata.

This affects any deployment that relies on Parse.Cloud.beforeFind(Parse.File, ...) to restrict file access. Only file metadata (user-defined key-value pairs set via addMetadata) is exposed; file content remains protected.

References

github.com/advisories/GHSA-hwx8-q9cg-mqmc
github.com/parse-community/parse-server
github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc
nvd.nist.gov/vuln/detail/CVE-2026-30850

Code Behaviors & Features

Detect and mitigate CVE-2026-30850 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →