Access Control Vulnerability in Parse Server by Parse Community
CVE-2026-57481
2.3LOW
What is CVE-2026-57481?
An access control issue exists in Parse Server that allows unauthorized access to object field values. Specifically, when a LiveQuery subscriber saves an object that alters both an object field and their own ACL read access, incorrect object states can be transmitted through enter and leave events. As a result, a subscriber may inadvertently receive sensitive data they are not permitted to access. This vulnerability has been addressed in versions 9.9.1-alpha.13 and 8.6.83, which rectify the handling of object states in these events.
Affected Version(s)
parse-server >= 9.0.0-alpha.1, < 9.9.1-alpha.13 < 9.0.0-alpha.1, 9.9.1-alpha.13
parse-server < 8.6.83 < 8.6.83
