Vulnerability in Parse Server's LiveQuery Subscription Revealed by Timing Events
CVE-2026-33429

6.3MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33429?

In Parse Server, an open-source backend solution, a vulnerability exists in the LiveQuery system that allows an attacker to exploit update events related to protected fields. Attackers can subscribe to LiveQuery with a watch parameter targeting these fields. While event payloads are stripped of sensitive field values, the mere presence or absence of update events reveals whether the protected field has changed. This creates a binary oracle that can be exploited, especially for boolean protected fields, where the timing of these events can effectively disclose the field's value. This vulnerability has been addressed in versions 8.6.54 and 9.6.0-alpha.43.

Affected Version(s)

parse-server < 8.6.54 < 8.6.54

parse-server >= 9.0.0, < 9.6.0-alpha.43 < 9.0.0, 9.6.0-alpha.43

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10253
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10254
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.