Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Data Exposure via LiveQuery Field Bypass
Action: Patch Immediately
AI Analysis

Impact

Prior to certain releases of Parse Server, an authenticated user who has permission to perform find operations can circumvent the protectedFields guard on LiveQuery subscriptions. By sending a subscription payload that includes a logical operator such as $or, $and, or $nor, the attacker can replace the expected array with an "array-like" object that has numeric keys and a length property. The resulting subscription event acts as a binary oracle, revealing whether a protected field contains a value that matches the attacker’s test. The primary consequence is unauthorized disclosure of data that should be hidden from that user. This vulnerability does not allow arbitrary code execution but can leak confidential information.

Affected Systems

The issue affects parse-community's open-source Parse Server deployments. Versions older than or equal to 8.6.69 and 9.7.0-alpha.17 are vulnerable, while 8.6.70 and 9.7.0-alpha.18 patch the flaw. Any infrastructure running those older versions of the software is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting lower known exploitation activity so far. However, the attack requires the attacker to be authenticated and to have find permissions on the target class. Once those conditions are met, the attacker can craft a subscription payload to infer protected field values. Because the exploit relies on normal API usage, it could be performed by any authenticated user if permissions are improperly configured. The risk of data leakage warrants prompt attention.

Generated by OpenCVE AI on March 31, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Parse Server version 8.6.70 or later, or 9.7.0-alpha.18 or later, which contain the fix for the LiveQuery protected-field guard
  • Review and enforce least‑privilege permissions; ensure users without legitimate need do not have find access to classes with protected fields
  • If immediate update is not possible, disable LiveQuery subscriptions that enable protected-fields queries or restrict use of the $or, $and, and $nor operators through custom validation logic

Generated by OpenCVE AI on March 31, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmg8-87c5-jrc2 Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.
Title Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
Weaknesses CWE-843
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:22:36.470Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34595

cve-icon Vulnrichment

Updated: 2026-03-31T17:22:32.842Z

cve-icon NVD

Status : Received

Published: 2026-03-31T16:16:34.087

Modified: 2026-03-31T16:16:34.087

Link: CVE-2026-34595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:09Z

Weaknesses