Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Severity:: Medium

Description

An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): **< 8.6.35 >= 9.0.0, < 9.6.0-alpha.9**
Patched version(s): **8.6.35 9.6.0-alpha.9**

References

GHSA-j7mm-f4rv-6q6q
CVE-2026-32098
CWE-200
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Parse Server has a protected fields bypass via logical query operators - CVE-2026-30962
Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872
Parse Server has a protected field change detection oracle via LiveQuery watch parameter - CVE-2026-33429
Parse Server leaks protected fields via LiveQuery afterEvent trigger - CVE-2026-33163

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on March 12, 2026