Skip to main content

Parse Server EUVDEUVD-2026-42422

| CVE-2026-57481 LOW
Information Exposure (CWE-200)
2026-07-08 security-advisories@github.com
2.3
CVSS 4.0 · Vendor: github

Severity by source

Vendor (github) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Network-reachable LiveQuery endpoint but AC:H because exploitation requires a specific co-mutation (field and ACL changed in one save); PR:L for authenticated subscriber; only limited field-value disclosure.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 22:22 vuln.today
Patch available
Jul 08, 2026 - 22:04 EUVD

DescriptionCVE.org

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83.

AnalysisAI

LiveQuery in Parse Server leaks unauthorized object field values to authenticated subscribers when a single save operation simultaneously modifies a sensitive field and the subscriber's ACL read access, because leave and enter events are built from the wrong object state. Affected deployments run parse-server below 8.6.83 (stable branch) or below 9.9.1-alpha.13 (v9 alpha branch) with LiveQuery enabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Parse Server
Delivery
Establish active LiveQuery subscription on target object
Exploit
Wait for server-side atomic field+ACL save operation
Execution
Receive unauthorized sensitive field values in leave/enter event payload
Impact
Extract disclosed data from event

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following specific conditions to align: (1) LiveQuery must be explicitly enabled in the Parse Server configuration - it is not active by default in all deployments; (2) the attacker must hold a valid authenticated session (PR:L) with an active WebSocket LiveQuery subscription to the target Parse Object class; (3) a save operation must simultaneously modify both a sensitive field value and the subscriber's ACL read permission on the same object instance in a single save() call - this is the AT:P condition confirmed by the CVSS 4.0 vector; (4) the WebSocket subscription must be active at the precise moment the co-mutation save is committed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 is a reasonable characterization of real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user subscribes to a Parse Object via LiveQuery with limited read access. A server-side operation - such as a triggered Cloud Function or a bulk data migration - executes a single save() call that simultaneously grants that user ACL read access to the object and updates a sensitive field value. …
Remediation Upgrade to Parse Server 8.6.83 (stable) or 9.9.1-alpha.13 (v9 alpha) as documented in the GitHub releases at https://github.com/parse-community/parse-server/releases/tag/8.6.83 and https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.13. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-42422 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy