Skip to main content

Oracle CVE-2026-33429

MEDIUM
Observable Discrepancy (CWE-203)
2026-03-20 https://github.com/parse-community/parse-server GHSA-qpc3-fg4j-8hgm
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 20, 2026 - 20:46 vuln.today
Patch released
Mar 20, 2026 - 20:46 nvd
Patch available
CVE Published
Mar 20, 2026 - 20:45 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

Impact

An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value.

Patches

The watch parameter is now validated against protected fields at subscription time, mirroring the existing validation for the where clause. Subscriptions that include protected fields in watch are rejected with a permission error. Master key connections are exempt.

Workarounds

None.

AnalysisAI

An information disclosure vulnerability in Parse Server's LiveQuery functionality allows attackers to infer the values of protected fields by monitoring whether update events are generated when those fields change, effectively creating a binary oracle that reveals field modifications despite the field values themselves being stripped from event payloads. The vulnerability affects Parse Server npm package across multiple versions, and while no public exploit code or active exploitation has been documented, the attack requires only standard subscription capabilities without elevated privileges. The vendor has released patches that validate the watch parameter against protected fields at subscription time, mirroring existing where clause protections.

Technical ContextAI

Parse Server is a Node.js backend framework providing real-time data synchronization through LiveQuery, which allows clients to subscribe to database changes with filtering and watching capabilities. The vulnerability exists in the watch parameter handling of LiveQuery subscriptions (CWE-203: Observable Discrepancy), where the application fails to properly validate that watched fields are not protected at subscription time. While the code correctly strips protected field values from event payloads sent to clients, it still emits update events when protected fields change, allowing an attacker to infer field state from event presence or absence. The affected product is identified via CPE pkg:npm/parse-server, and the root cause is insufficient authorization checking at the subscription layer rather than at the event emission layer.

RemediationAI

Upgrade Parse Server to a patched version that includes the fixes from pull requests #10253 and #10254, which implement validation of the watch parameter against protected fields at subscription time, rejecting subscriptions that include protected fields with a permission error. Consult the official vendor advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm to determine the specific patched version for your installation. No workarounds are available according to the vendor, so patching is the only mitigation strategy; note that master key connections are exempted from the new validation, allowing legitimate administrative use cases to continue functioning. Perform thorough testing of LiveQuery subscriptions in your application after patching to ensure legitimate watch parameters on non-protected fields continue to operate correctly.

Share

CVE-2026-33429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy