Which versions of Oracle are affected by CVE-2026-33429?

CVE-2026-33429 presents moderate security risk rated CVSS 6.3. Exploitation could compromise the security of affected deployments.. A patch is available.

Oracle CVE-2026-33429

Q: What is the CVSS score of CVE-2026-33429?

CVE-2026-33429 has a CVSS 4.0 base score of 6.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

MEDIUM

Observable Discrepancy (CWE-203)

2026-03-20 https://github.com/parse-community/parse-server

GHSA-qpc3-fg4j-8hgm

Information Disclosure Oracle

6.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 20, 2026 - 20:46 vuln.today

Patch released

Mar 20, 2026 - 20:46 nvd

Patch available

CVE Published

Mar 20, 2026 - 20:45 nvd

MEDIUM 6.3

DescriptionNVD

Impact

An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value.

Patches

The watch parameter is now validated against protected fields at subscription time, mirroring the existing validation for the where clause. Subscriptions that include protected fields in watch are rejected with a permission error. Master key connections are exempt.

Workarounds

None.

AnalysisAI

An information disclosure vulnerability in Parse Server's LiveQuery functionality allows attackers to infer the values of protected fields by monitoring whether update events are generated when those fields change, effectively creating a binary oracle that reveals field modifications despite the field values themselves being stripped from event payloads. The vulnerability affects Parse Server npm package across multiple versions, and while no public exploit code or active exploitation has been documented, the attack requires only standard subscription capabilities without elevated privileges. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory