Parse Server: Unauthorized Access to Restricted Data via LiveQuery

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.3

Parse Server: Unauthorized Access to Restricted Data via LiveQuery

CVE-2026-30947 GHSA-7ch5-98q2-7289 GHSA-7ch5-98q2-7289

Summary

Using Parse Server's LiveQuery feature without proper permissions can allow unauthorized users to access sensitive data in real-time. This is a concern for organizations that rely on Parse Server to manage data access. To mitigate this issue, update to the latest version of Parse Server or configure LiveQuery to exclude classes with access restrictions.

What to do

Update parse-server to version 9.5.2-alpha.3.
Update parse-server to version 8.6.16.
Update parse to version 9.5.2.

Affected software

Vendor	Product	Affected versions	Fix available
–	parse-server	> 9.0.0 , <= 9.5.2-alpha.3	9.5.2-alpha.3
–	parse-server	<= 8.6.16	8.6.16
parseplatform	parse-server	<= 8.6.16	–
parseplatform	parse-server	> 9.0.0 , <= 9.5.2	–
parseplatform	parse-server	9.5.2	–
parseplatform	parse-server	9.5.2	–
–	parse	> 9.0.0 , <= 9.5.2	9.5.2

Original title

Parse Server ha a bypass of class-level permissions in LiveQuery

Original description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.

nvd CVSS4.0 8.7

Vulnerability type

CWE-863 Incorrect Authorization

Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026