CVE-2026-33421
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API.
Patches
The LiveQuery server now enforces pointer permissions on each event. After the existing check passes (which defers pointer permissions by design), the fix checks whether any configured pointer field on the object points to the subscribing user. Events for objects that don't match are silently skipped, consistent with how ACL mismatches are handled.
Workarounds
Use ACLs on individual objects to restrict read access instead of relying solely on CLP pointer permissions. ACLs are enforced by LiveQuery.
AnalysisAI
Parse Server's LiveQuery WebSocket interface contains an authorization bypass vulnerability that allows any authenticated user to subscribe to real-time object updates regardless of Class-Level Permission pointer field restrictions. Affected products include the parse-server npm package, where authenticated attackers can receive real-time updates for all objects in classes that should be restricted by readUserFields and pointerFields CLP settings, bypassing intended access controls that are correctly enforced in the REST API. No public proof-of-concept or active exploitation (KEV) has been reported at this time.
Technical ContextAI
Parse Server is a Node.js-based backend framework distributed via npm (pkg:npm/parse-server) that provides LiveQuery functionality for real-time WebSocket subscriptions to database changes. The vulnerability stems from CWE-863 (Incorrect Authorization), where the LiveQuery server fails to enforce Class-Level Permission pointer permissions that restrict read access based on whether pointer fields reference the requesting user. While the REST API correctly validates these pointer permissions (readUserFields and pointerFields), the LiveQuery WebSocket implementation defers this check and never performs the secondary validation to ensure pointer fields on objects point to the subscribing user, creating an authorization gap between the two interfaces.
RemediationAI
Apply the vendor-supplied patches available in GitHub pull requests #10250 and #10252 from the Parse Community repository (https://github.com/parse-community/parse-server/pull/10250 and https://github.com/parse-community/parse-server/pull/10252). The patches enforce pointer permission validation on each LiveQuery event by checking whether configured pointer fields point to the subscribing user. As a workaround until patching is completed, implement Access Control Lists (ACLs) on individual objects rather than relying solely on Class-Level Permission pointer fields, as ACLs are properly enforced by LiveQuery. Review the complete security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576 for additional implementation guidance.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fph2-r4qg-9576