CVE-2026-30850: Missing Authorization in Parse Server File Metadata Endpoint

Parse Server is an open-source Node.js backend framework that utilizes a trigger system (beforeFind, afterFind) to enforce access control and business logic. Administrators configure these triggers to validate session tokens, verify user roles, or restrict object interactions based on custom security policies. This system forms the primary authorization boundary for data retrieval operations.

CVE-2026-30850 is a missing authorization flaw (CWE-862) residing specifically in the file metadata retrieval endpoint. The endpoint processes incoming HTTP requests but fails to pass the execution flow through the established security triggers. This design oversight effectively nullifies any developer-implemented access controls for file metadata operations.

The impact is limited to the exposure of file metadata, which often contains user-defined key-value pairs, tags, ownership identifiers, or internal application IDs. The vulnerability does not permit access to the raw binary file content. The core binary data routing logic maintains proper access control enforcement, correctly containing the data exposure scope.

The root cause of the vulnerability exists in the metadataHandler function located within src/Routers/FilesRouter.js. This function is responsible for processing incoming HTTP requests directed at the /files/:appId/metadata/:filename API route. The handler operates by extracting the filename parameter and directly passing it to the internal storage controller.

In a secure Parse Server implementation, fetching an object requires instantiating a Parse.File class and routing it through the trigger pipeline. The metadataHandler bypasses this abstraction layer completely. It interacts directly with the storage backend without constructing the necessary class representation or invoking the trigger middleware.

The vulnerable code executes filesController.getMetadata(filename) directly. It then immediately serializes the resulting data structure and returns an HTTP 200 response to the client. The complete absence of triggers.maybeRunFileTrigger calls in this execution path ensures that no authorization checks evaluate the request.

Examining the vulnerable implementation reveals the direct data access pattern. The metadataHandler extracts the filename and immediately calls the storage controller, prioritizing data retrieval over authorization enforcement.

async metadataHandler(req, res) {
  try {
    const config = Config.get(req.params.appId);
    const { filesController } = config;
    const filename = FilesRouter._getFilenameFromParams(req);
    
    // VULNERABLE: Directly fetches metadata without checking triggers
    const data = await filesController.getMetadata(filename);
    
    res.status(200);
    res.json(data);
  } catch {
    res.status(200);
    res.json({});
  }
}

The patch introduced in Pull Request #10106 resolves this flaw by explicitly instantiating a Parse.File object and routing the operation through the application's trigger system. The updated code enforces the security boundaries by invoking the beforeFind and afterFind events before and after the storage controller interaction.

// PATCHED: Enforces triggers before and after retrieval
const file = new Parse.File(filename, { base64: '' });
 
await triggers.maybeRunFileTrigger(triggers.Types.beforeFind, { file }, config, req.auth);
 
const data = await filesController.getMetadata(filename);
 
await triggers.maybeRunFileTrigger(triggers.Types.afterFind, { file }, config, req.auth);

Exploitation requires the attacker to satisfy the CVSS Attack Requirements (AT:P) condition by possessing prior knowledge of a valid filename stored within the Parse Server instance. The endpoint requires the exact filename to target the metadata request. Attackers typically obtain these filenames through application reconnaissance or secondary data disclosure vulnerabilities.

An attacker executes the exploit by issuing an unauthenticated HTTP GET request to the target URI path: /files/:appId/metadata/:filename. The application router matches this request and directs execution to the vulnerable metadataHandler. The lack of authentication requirements in the initial routing phase allows external network actors to initiate the request.

The server processes the request without evaluating the beforeFind trigger logic. It returns an HTTP 200 OK status containing a JSON payload populated with the target file's metadata. This circumvents any session token validation, access control lists (ACLs), or role-based restrictions established by the application developer.

The security impact is confined to the unauthorized exposure of file metadata. Attackers gain read access to user-defined key-value pairs associated with stored files. Application developers frequently use these metadata fields to store operational data, including document classifications, internal reference IDs, or ownership identifiers.

The vulnerability does not compromise the confidentiality of the actual file content. Requests targeting the raw file data route through separate handler logic that correctly enforces the Parse.File access controls. This separation of routing logic mitigates the severity of the flaw, preventing mass extraction of sensitive binary data.

The vulnerability is classified as Medium severity, carrying a CVSS 4.0 score of 6.3 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N). The Exploit Prediction Scoring System (EPSS) assigns it a low probability of exploitation at 0.00049. This score reflects the specific prerequisite of knowing the filename and the generally low systemic value of isolated file metadata in complex attack chains.

The primary remediation strategy requires upgrading the Parse Server dependency to a patched release. Administrators must update active deployments to version 8.6.9 for the stable branch or version 9.5.0-alpha.9 for environments utilizing pre-release builds. Upgrading replaces the vulnerable handler logic with the trigger-enforced implementation.

Deployments unable to patch immediately must implement a temporary mitigation using Express middleware. This workaround intercepts requests destined for the metadata endpoint before they reach the Parse Server router. The middleware effectively neutralizes the attack vector without requiring source code modifications to the Parse Server package.

Administrators configure the middleware to match the specific mount path and return an HTTP 403 Forbidden status. The exact path must reflect the application's configured mount point (e.g., /parse/files/:appId/metadata/:filename).

> [!NOTE]
> Ensure this middleware is mounted before initializing the Parse Server instance.
 
app.get('/parse/files/:appId/metadata/:filename', (req, res) => {
  res.status(403).json({ error: 'Forbidden' });
});