Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35.
Published: 2026-03-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Parse Server, an open‑source Node.js backend, enables LiveQuery subscriptions that can include a WHERE clause referencing protected fields. By creating such a subscription, an attacker can observe whether LiveQuery events are delivered for matching objects, effectively creating a boolean oracle. This allows the attacker to infer the values of protected fields without receiving them directly. The vulnerability is identified as a CWE‑200 information disclosure issue.

Affected Systems

The vulnerability affects parse-community’s Parse Server. All releases prior to 9.6.0‑alpha.9 and 8.6.35 are vulnerable. Any class configured with protectedFields in its class‑level permissions and with LiveQuery enabled is susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. An EPSS score of less than 1% suggests the exploitation probability is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, via the LiveQuery subscription API. An attacker can craft a subscription that references a protected field, observe event delivery, and deduce the field’s value, thereby compromising confidentiality of protected data.

Generated by OpenCVE AI on March 17, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.6.0‑alpha.9 or 8.6.35 which contain the fix
  • Review and, if possible, restrict LiveQuery usage and remove protectedField configurations for classes that do not require them

Generated by OpenCVE AI on March 17, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j7mm-f4rv-6q6q Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35.
Title Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:52:52.859Z

Reserved: 2026-03-10T22:02:38.853Z

Link: CVE-2026-32098

cve-icon Vulnrichment

Updated: 2026-03-12T19:52:49.744Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:18.400

Modified: 2026-03-13T17:06:58.223

Link: CVE-2026-32098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:26Z

Weaknesses