CVE-2026-34363
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object.
Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state.
Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class.
Patches
The fix deep-clones the shared objects at the start of each subscriber's processing callback, ensuring each subscriber works on an independent copy. Additionally, a bug was fixed where master key LiveQuery clients could not receive events on classes with protected fields due to an incorrect type passed to the sensitive data filter.
Workarounds
There is no known workaround.
Resources
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10330
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10331
AnalysisAI
Parse Server LiveQuery leaks protected fields and authentication data across concurrent subscribers due to shared mutable object state. When multiple clients subscribe to the same class, race conditions in the sensitive data filter allow one subscriber's field filtering to affect other subscribers, exposing data that should remain protected or delivering incomplete objects to authorized clients. Deployments using LiveQuery with protected fields or afterEvent triggers face unauthorized information disclosure. Vendor-released patches are available for Parse Server 8 and 9. No public exploit identified at time of analysis, though the vulnerability is straightforward to trigger in affected configurations.
Technical ContextAI
Parse Server is an open-source Node.js backend framework (npm package: parse-server) that provides LiveQuery functionality for real-time subscriptions to database changes. The vulnerability stems from CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), a classic race condition. LiveQuery's event handler architecture processes multiple subscribers concurrently but incorrectly shares mutable objects across these parallel execution contexts. The sensitive data filter modifies these objects in-place rather than operating on isolated copies. When subscriber A's filter removes a protected field from the shared object, subscriber B receives the already-mutated object, bypassing intended access controls. The same shared-state problem affects afterEvent Cloud Code triggers, where one subscriber's trigger modifications pollute the state visible to others. The root cause is the absence of defensive copying before concurrent processing-a fundamental concurrency safety violation in multi-tenant real-time systems.
RemediationAI
Upgrade Parse Server immediately to the patched versions that implement deep-cloning of shared objects before subscriber processing. For Parse Server 9.x deployments, apply the fix from pull request 10330 (commit 5834e29234593addaa0251a85f572ad4f376320b). For Parse Server 8.x deployments, apply the fix from pull request 10331 (commit 776c71c3078e77d38c94937f463741793609d055). Both patches are available through the official GitHub repository and npm package updates. The vendor advisory explicitly states there is no known workaround, making immediate patching the only viable remediation strategy. Organizations unable to patch immediately should consider temporarily disabling LiveQuery functionality or removing protected field configurations until upgrades can be deployed, though this may impact application functionality. Verify patch application by reviewing the GitHub security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65 and testing LiveQuery behavior with concurrent subscribers after upgrade.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-m983-v2ff-wq65