FKIE_CVE-2026-33163

Vulnerability from fkie_nvd - Published: 2026-03-18 22:16 - Updated: 2026-03-19 16:35
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave). Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers. The vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix in versions 9.6.0-alpha.35 and 8.6.50 ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients. As a workaround, remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered.
References
security-advisories@github.comhttps://github.com/parse-community/parse-server/pull/10232Issue Tracking
security-advisories@github.comhttps://github.com/parse-community/parse-server/pull/10233Issue Tracking
security-advisories@github.comhttps://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hffVendor Advisory
Impacted products
Vendor Product Version
parseplatform parse-server *
parseplatform parse-server *
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "F9E8CF62-B899-419B-AC14-C0C208455A4D",
              "versionEndExcluding": "8.6.50",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A",
              "versionEndExcluding": "9.6.0",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*",
              "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*",
              "matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*",
              "matchCriteriaId": "808B6482-BF8E-407D-8462-E757657CC323",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*",
              "matchCriteriaId": "B84C28F8-AADE-41BB-A0EF-B701AB57DC3A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*",
              "matchCriteriaId": "7567BB81-7837-4265-B792-6A9B73CECF93",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*",
              "matchCriteriaId": "0035C6F1-21B9-42D1-BE29-690905F3558C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*",
              "matchCriteriaId": "623FB30A-0693-4449-80FA-16D36B1BE66C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*",
              "matchCriteriaId": "9B420167-CD3E-45A7-AD9A-0F83AEC634BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*",
              "matchCriteriaId": "030A8626-DBBD-4BF2-B362-79B44FB1204D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*",
              "matchCriteriaId": "D38CFCC3-2AA9-4C8E-9064-FE97E6E8C45C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*",
              "matchCriteriaId": "65BB78F2-3A1A-4CD1-B8A8-4AB043B5CA50",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*",
              "matchCriteriaId": "EDC98AF7-8620-4A25-9BE5-623672599677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*",
              "matchCriteriaId": "23E28E0F-9379-4628-B9DC-8C94A45902CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*",
              "matchCriteriaId": "6631BE51-74FB-40C0-9E91-0EDF2DCADD7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*",
              "matchCriteriaId": "8B0E4254-14A3-4EB6-9E98-CF45EB08B17F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*",
              "matchCriteriaId": "0FF63FDE-75F5-44B6-A958-CF653D84D3B4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*",
              "matchCriteriaId": "252B812D-A162-41C1-91CD-08D0CBAC5C46",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*",
              "matchCriteriaId": "421691EA-F55A-4738-8ABD-74B53B6DF155",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*",
              "matchCriteriaId": "5E7FAB59-142E-4191-9A6F-0744D810CD81",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*",
              "matchCriteriaId": "B010F310-05A1-48AE-B002-8F4C7FA62EB3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*",
              "matchCriteriaId": "4D3B2C32-16D8-415B-A49F-060ECE8F0F33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*",
              "matchCriteriaId": "43BE83C2-C756-4A5A-A340-B7D1FB52078D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*",
              "matchCriteriaId": "DF340605-8CC8-4543-9F5D-E8602D258CED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*",
              "matchCriteriaId": "702EBB22-3E9F-4CBE-B855-2E3642C530B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*",
              "matchCriteriaId": "7C17AD66-684F-4662-AF16-838FF05F47D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*",
              "matchCriteriaId": "13C25963-CAE7-49AA-A941-254DCE289E35",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*",
              "matchCriteriaId": "B6BF0C2F-DD2B-4864-961F-CA808EF22633",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*",
              "matchCriteriaId": "8FBB21E9-CB73-4CB1-841A-D1C08167DB51",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*",
              "matchCriteriaId": "A052DFCA-EDCC-43D7-82C7-E5311F6F7687",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*",
              "matchCriteriaId": "12B11714-B961-4330-B241-FC5AF94FDBE8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*",
              "matchCriteriaId": "37A7C42B-4986-4BB6-BB27-0324A9AA1CFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*",
              "matchCriteriaId": "C793834B-64B4-4DE9-BD7D-79B52C30C34E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*",
              "matchCriteriaId": "7AD455C8-88BE-4A0A-B33D-3A7811FFB753",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*",
              "matchCriteriaId": "26C475A2-997C-4C3A-8CB6-04AB3534BBC3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave). Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers. The vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix in versions 9.6.0-alpha.35 and 8.6.50 ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients. As a workaround, remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered."
    },
    {
      "lang": "es",
      "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 9.6.0-alpha.35 y 8.6.50, cuando un disparador \u0027Parse.Cloud.afterLiveQueryEvent\u0027 se registra para una clase, el servidor LiveQuery filtra campos protegidos y \u0027authData\u0027 a todos los suscriptores de esa clase. Los campos configurados como protegidos a trav\u00e9s de Permisos a Nivel de Clase (\u0027protectedFields\u0027) se incluyen en las cargas \u00fatiles de eventos de LiveQuery para todos los tipos de eventos (crear, actualizar, eliminar, entrar, salir). Cualquier usuario con permisos CLP suficientes para suscribirse a la clase afectada puede recibir datos de campos protegidos de otros usuarios, incluyendo informaci\u00f3n personal sensible y tokens OAuth de proveedores de autenticaci\u00f3n de terceros. La vulnerabilidad fue causada por un error de desvinculaci\u00f3n de referencia. Cuando un disparador \u0027afterEvent\u0027 se registra, el servidor LiveQuery convierte el objeto de evento en un \u0027Parse.Object\u0027 para el disparador, luego crea una nueva copia JSON a trav\u00e9s de \u0027toJSONwithObjects()\u0027. El filtro de datos sensibles se aplic\u00f3 a la referencia de \u0027Parse.Object\u0027, pero la copia JSON sin filtrar fue enviada a los clientes. La correcci\u00f3n en las versiones 9.6.0-alpha.35 y 8.6.50 asegura que la copia JSON se reasigne al objeto de respuesta antes de filtrar, de modo que el filtro opera sobre los datos reales enviados a los clientes. Como soluci\u00f3n alternativa, elimine todos los registros de disparadores \u0027Parse.Cloud.afterLiveQueryEvent\u0027. Sin un disparador \u0027afterEvent\u0027, la desvinculaci\u00f3n de referencia no ocurre y los campos protegidos se filtran correctamente."
    }
  ],
  "id": "CVE-2026-33163",
  "lastModified": "2026-03-19T16:35:28.417",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T22:16:26.270",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/parse-community/parse-server/pull/10232"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/parse-community/parse-server/pull/10233"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.