Bypass Security in Parse Server Affecting Node.js Applications
CVE-2026-34595

5.3MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34595?

An issue in Parse Server allows an authenticated user with class-level permissions to circumvent the protectedFields settings on LiveQuery subscriptions. By manipulating the subscription request with specific object types, attackers can infer whether a protected field meets certain criteria. This vulnerability raises significant concerns for applications utilizing Parse Server, posing risks of unauthorized data access. This flaw has been addressed in subsequent releases, ensuring enhanced security against such exploits.

Affected Version(s)

parse-server < 8.6.70 < 8.6.70

parse-server >= 9.0.0, < 9.7.0-alpha.18 < 9.0.0, 9.7.0-alpha.18

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10350
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10351
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.