Skip to main content

CVE-2026-33163

| EUVDEUVD-2026-12994 HIGH
Information Exposure (CWE-200)
2026-03-18 https://github.com/parse-community/parse-server GHSA-5hmj-jcgp-6hff
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 18, 2026 - 20:00 euvd
EUVD-2026-12994
Analysis Generated
Mar 18, 2026 - 20:00 vuln.today
Patch released
Mar 18, 2026 - 20:00 nvd
Patch available
CVE Published
Mar 18, 2026 - 19:49 nvd
HIGH 8.2

DescriptionGitHub Advisory

Impact

When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class. Fields configured as protected via Class-Level Permissions (protectedFields) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave).

Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers.

Patches

The vulnerability was caused by a reference detachment bug. When an afterEvent trigger is registered, the LiveQuery server converts the event object to a Parse.Object for the trigger, then creates a new JSON copy via toJSONwithObjects(). The sensitive data filter was applied to the Parse.Object reference, but the unfiltered JSON copy was sent to clients. The fix ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients.

Workarounds

Remove all Parse.Cloud.afterLiveQueryEvent trigger registrations. Without an afterEvent trigger, the reference detachment does not occur and protected fields are correctly filtered.

AnalysisAI

Parse Server's LiveQuery component leaks protected fields and OAuth authentication data to unauthorized subscribers when an afterLiveQueryEvent trigger is registered for a class. The vulnerability affects Parse Server installations using LiveQuery with afterEvent triggers, allowing any user with basic subscription permissions to access sensitive personal information and third-party OAuth tokens belonging to other users. Patches are available from the vendor with workarounds documented.

Technical ContextAI

Parse Server is a Node.js backend framework (pkg:npm/parse-server) that provides LiveQuery functionality for real-time data synchronization. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and occurs due to a reference detachment bug in the LiveQuery server's event processing pipeline. When Parse.Cloud.afterLiveQueryEvent triggers are registered, the server converts event objects to Parse.Object instances for trigger execution, then creates a JSON copy via toJSONwithObjects(). The sensitive data filter correctly operates on the Parse.Object reference but fails to filter the JSON copy that is actually transmitted to subscribed clients, resulting in protected fields and authData bypassing Class-Level Permissions (CLP) protections.

RemediationAI

Apply the patches provided by Parse Community immediately, available via pull requests at https://github.com/parse-community/parse-server/pull/10232 and https://github.com/parse-community/parse-server/pull/10233. Upgrade to the patched version of parse-server from npm once released. As a temporary workaround until patching is complete, remove all Parse.Cloud.afterLiveQueryEvent trigger registrations from your codebase, as the reference detachment bug only occurs when these triggers are present. Review LiveQuery subscription logs to identify potential unauthorized access to protected fields during the vulnerable period and rotate any exposed OAuth tokens or credentials. Consult the security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff for complete remediation guidance.

Share

CVE-2026-33163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy