Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized real‑time data exposure via LiveQuery
Action: Immediate Patch
AI Analysis

Impact

Parse Server does not enforce class‑level permissions for LiveQuery subscriptions prior to version 8.6.16 and 9.5.2‑alpha.3. An unauthenticated or unauthorized client can subscribe to any LiveQuery‑enabled class and receive real‑time events for all objects regardless of the configured permissions. The result is a direct leak of data that should be restricted, allowing an attacker to exfiltrate sensitive information as it changes. This flaw is a classic example of a missing authorization check, identified as CWE‑863.

Affected Systems

All deployments of Parse Server that use LiveQuery with class‑level permissions and are running a version earlier than 8.6.16 or earlier than 9.5.2‑alpha.3 are affected. The affected product is the open‑source Parse Server from Parse Platform, which can be hosted on any Node.js‑capable infrastructure.

Risk and Exploitability

The flaw has a high CVSS score of 8.7, indicating significant impact. The EPSS score is less than 1 %, suggesting that exploitation attempts are unlikely to be widespread at present, and it is not listed in the CISA KEV catalog. However, the vulnerability can be leveraged over the network by sending a subscription request to the LiveQuery endpoint. The attack is feasible for anyone with network access to the Parse Server instance, and no privileged credentials are required. Given the real‑time nature of the data leakage, the risk to confidentiality is high even if exploitation is currently rare.

Generated by OpenCVE AI on April 16, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.16 or newer, or 9.5.2‑alpha.3 or later, which contain the fix that enforces class‑level permissions on LiveQuery.
  • If an upgrade cannot be performed immediately, disable the LiveQuery feature in the Parse Server configuration to prevent subscription traffic.
  • Restrict network access to the LiveQuery endpoint using firewall rules or network segmentation, ensuring that only trusted clients can reach it.

Generated by OpenCVE AI on April 16, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7ch5-98q2-7289 Parse Server has a bypass of class-level permissions in LiveQuery
History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
Title Parse Server ha a bypass of class-level permissions in LiveQuery
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:44:51.461Z

Reserved: 2026-03-07T17:34:39.980Z

Link: CVE-2026-30947

cve-icon Vulnrichment

Updated: 2026-03-11T14:44:47.045Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:47.500

Modified: 2026-03-11T17:15:05.887

Link: CVE-2026-30947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses