Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9.
Published: 2026-03-31
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

Parse Server’s LiveQuery feature processes multiple client subscriptions concurrently using shared mutable objects. Prior to version 8.6.65 and 9.7.0‑alpha.9, the filter that removes protected fields modifies these objects in-place. As a result, a subscriber that removes a protected field can cause the underlying object to appear altered to a subsequent subscriber, leading to the accidental disclosure of protected data or authentication information. The vulnerability also allows shared state modifications in afterEvent Cloud Code triggers to leak data between subscribers. This is a concurrency-based error (CWE‑362).

Affected Systems

Any deployment of Parse Server from parse-community:parse-server before version 8.6.65 or before 9.7.0‑alpha.9 that uses LiveQuery with protected fields or afterEvent triggers is affected. The specific release tree includes the alpha series through 9.7.0‑alpha.8 and earlier stable releases up to but excluding 8.6.65.

Risk and Exploitability

The vulnerability scores a CVSS 8.2 indicating high severity. The EPSS score is less than 1 %, suggesting low likelihood of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to be able to subscribe to the same LiveQuery class, either through an exposed API endpoint or an application’s client library, and to send data that triggers the shared mutable state path. The impact is limited to the data returned for that class, but the disclosure of protected fields or authentication details can be consequential. Attackers with knowledge of the data model and suitable access permissions can use this avenue to gain unintended insight into privileged data.

Generated by OpenCVE AI on April 2, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.65 or later, or to 9.7.0‑alpha.9 or later, which isolates LiveQuery subscriber state.
  • If an upgrade cannot be applied immediately, temporarily disable LiveQuery for clients that should not see protected fields, or remove afterEvent Cloud Code triggers that modify shared state.
  • Verify that no other Cloud Code hooks use shared mutable objects in a concurrent context.
  • Monitor request logs for repeated LiveQuery activity originating from unauthorized or unexpected sources.

Generated by OpenCVE AI on April 2, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m983-v2ff-wq65 LiveQuery protected field leak via shared mutable state across concurrent subscribers
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9.
Title Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:52:55.822Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34363

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:23.059Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:18.863

Modified: 2026-04-02T18:11:29.520

Link: CVE-2026-34363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:29Z

Weaknesses