Unauthorized Access in Parse Server's LiveQuery WebSocket Interface
CVE-2026-33421

7.1HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33421?

A security flaw in Parse Server's LiveQuery WebSocket interface prior to version 8.6.53 and 9.6.0-alpha.42 allows authenticated users to bypass Class-Level Permissions. This permits unauthorized users to subscribe to LiveQuery events and gain real-time updates for objects that are otherwise restricted, posing a risk of exposing sensitive data. The vulnerability affects the intended access control mechanism, as pointer permissions are not enforced, leading to potential data exposure that is otherwise secure through the REST API.

Affected Version(s)

parse-server < 8.6.53 < 8.6.53

parse-server >= 9.0.0, < 9.6.0-alpha.42 < 9.0.0, 9.6.0-alpha.42

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10250
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10252
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.