CVE-2026-34595

MEDIUM

Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value

Title source: cna

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.

References (5)

[X_Refsource_Confirm] https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2

[X_Refsource_Misc] https://github.com/parse-community/parse-server/pull/10350

[X_Refsource_Misc] https://github.com/parse-community/parse-server/pull/10351

[X_Refsource_Misc] https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98

[X_Refsource_Misc] https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2

View Writeup ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 8.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-843

Status published

Products (5)

npm/parse-server 9.0.0 - 9.7.0-alpha.16npm

parse-community/parse-server < 8.6.70

parse-community/parse-server >= 9.0.0, < 9.7.0-alpha.18

parseplatform/parse-server 9.7.0 alpha1 (15 CPE variants)

parseplatform/parse-server < 8.6.70

Published Mar 31, 2026

Tracked Since Mar 31, 2026