Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Parse Server: Authenticated users can access sensitive data
CVE-2026-34595
GHSA-mmg8-87c5-jrc2
Summary
An authenticated user with permission to view certain data may be able to access protected fields in Parse Server. This could allow them to gain information they shouldn't have. Update to version 8.6.70 or 9.7.0-alpha.18 or later to fix this issue.
What to do
- Update parse-server to version 9.7.0-alpha.16.
- Update parse-server to version 8.6.70.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0 , <= 9.7.0-alpha.16 | 9.7.0-alpha.16 |
| – | parse-server | <= 8.6.70 | 8.6.70 |
Original title
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
Original description
### Impact
An authenticated user with `find` class-level permission can bypass the `protectedFields` class-level permission setting on LiveQuery subscriptions. By sending a subscription with a `$or`, `$and`, or `$nor` operator value as a plain object with numeric keys and a `length` property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value.
### Patches
The fix validates that `$or`, `$and`, and `$nor` operator values are arrays in the LiveQuery subscription handler, the query depth checker, and the protected-field guard. As defense in depth, the LiveQuery query evaluator also rejects non-array values for these operators.
### Workarounds
There is no known workaround.
An authenticated user with `find` class-level permission can bypass the `protectedFields` class-level permission setting on LiveQuery subscriptions. By sending a subscription with a `$or`, `$and`, or `$nor` operator value as a plain object with numeric keys and a `length` property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value.
### Patches
The fix validates that `$or`, `$and`, and `$nor` operator values are arrays in the LiveQuery subscription handler, the query depth checker, and the protected-field guard. As defense in depth, the LiveQuery query evaluator also rejects non-array values for these operators.
### Workarounds
There is no known workaround.
nvd CVSS4.0
5.3
Vulnerability type
CWE-843
Type Confusion
- https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01...
- https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf...
- https://github.com/parse-community/parse-server/pull/10350
- https://github.com/parse-community/parse-server/pull/10351
- https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87...
- https://nvd.nist.gov/vuln/detail/CVE-2026-34595
- https://github.com/advisories/GHSA-mmg8-87c5-jrc2
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 31 Mar 2026