Sensitive Data Exposure in Parse Server LiveQuery with Concurrent Subscriber Interactions
CVE-2026-34363

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34363?

Parse Server, an open-source backend platform, has a vulnerability within its LiveQuery feature. In versions prior to 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class, event handlers process their requests concurrently, utilizing shared mutable objects. This can lead to scenario where sensitive data, such as protected fields and authentication information, may inadvertently be disclosed to clients that should not have access to them. Furthermore, modifications made by one subscriber could affect others due to this shared state, resulting in incomplete or improperly filtered data. If an afterEvent Cloud Code trigger is involved, this leakage can occur more prominently, heightening the risk for any deployment of Parse Server that uses LiveQuery with sensitive fields.

Affected Version(s)

parse-server < 8.6.65 < 8.6.65

parse-server >= 9.0.0, < 9.7.0-alpha.9 < 9.0.0, 9.7.0-alpha.9

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10330
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10331
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.