Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value

Description

An authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.70

  >= 9.0.0, < 9.7.0-alpha.16**

• Patched version(s): **8.6.70

  9.7.0-alpha.16**

References

• GHSA-mmg8-87c5-jrc2
• CVE-2026-34595
• CWE-843
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server has a session field immutability bypass via falsy-value guard - CVE-2026-34574
• Parse Server has a protected fields bypass via logical query operators - CVE-2026-30962
• Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause - CVE-2026-32098
• Parse Server has a protected field change detection oracle via LiveQuery watch parameter - CVE-2026-33429

You might also like:

Exploiting Server Version Disclosure

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:

npm

parse-server