Access Control Vulnerability in Parse Server by Parse Community
CVE-2026-57481

2.3LOW

Key Information:

Vendor
CVE Published:
8 July 2026

What is CVE-2026-57481?

An access control issue exists in Parse Server that allows unauthorized access to object field values. Specifically, when a LiveQuery subscriber saves an object that alters both an object field and their own ACL read access, incorrect object states can be transmitted through enter and leave events. As a result, a subscriber may inadvertently receive sensitive data they are not permitted to access. This vulnerability has been addressed in versions 9.9.1-alpha.13 and 8.6.83, which rectify the handling of object states in these events.

Affected Version(s)

parse-server >= 9.0.0-alpha.1, < 9.9.1-alpha.13 < 9.0.0-alpha.1, 9.9.1-alpha.13

parse-server < 8.6.83 < 8.6.83

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.