CVE-2026-30947
HIGH
GHSA-7ch5-98q2-7289
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Tags
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
Analysis
Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Parse Server instances in production and document their versions. Within 7 days: Apply vendor patches (upgrade to 9.5.2-alpha.3 or 8.6.16 or later) across all affected instances, prioritizing systems handling sensitive data. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today