Data Exposure Vulnerability in Parse Server by Parse Community
CVE-2026-33163

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
18 March 2026

What is CVE-2026-33163?

Parse Server is susceptible to a serious data exposure flaw that allows unauthorized subscribers to access protected fields and sensitive user information when the Parse.Cloud.afterLiveQueryEvent trigger is registered. Specifically, this vulnerability affects users with sufficient Class-Level Permissions (CLP), enabling them to receive private data, including personal information and OAuth tokens from third-party services, due to mishandled JSON data during LiveQuery events. This issue arises from a reference detachment bug that occurred when converting event objects. The subsequent response sent to clients did not filter sensitive data adequately, creating a security risk. Versions 9.6.0-alpha.35 and 8.6.50 include critical fixes that ensure JSON data is correctly filtered before being sent, preventing unauthorized access to protected fields.

Affected Version(s)

parse-server >= 9.0.0, < 9.6.0-alpha.35 < 9.0.0, 9.6.0-alpha.35

parse-server < 8.6.50 < 8.6.50

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10232
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10233
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.