CVE-2026-33421

EUVD-2026-14968

24.03.2026, 19:16

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
parseplatform	parse-server	𝑥 < 8.6.53
parseplatform	parse-server	9.0.0 ≤ 𝑥 < 9.6.0
parseplatform	parse-server	9.6.0:alpha1
parseplatform	parse-server	9.6.0:alpha10
parseplatform	parse-server	9.6.0:alpha11
parseplatform	parse-server	9.6.0:alpha12
parseplatform	parse-server	9.6.0:alpha13
parseplatform	parse-server	9.6.0:alpha14
parseplatform	parse-server	9.6.0:alpha15
parseplatform	parse-server	9.6.0:alpha16
parseplatform	parse-server	9.6.0:alpha17
parseplatform	parse-server	9.6.0:alpha18
parseplatform	parse-server	9.6.0:alpha19
parseplatform	parse-server	9.6.0:alpha2
parseplatform	parse-server	9.6.0:alpha20
parseplatform	parse-server	9.6.0:alpha21
parseplatform	parse-server	9.6.0:alpha22
parseplatform	parse-server	9.6.0:alpha23
parseplatform	parse-server	9.6.0:alpha24
parseplatform	parse-server	9.6.0:alpha25
parseplatform	parse-server	9.6.0:alpha26
parseplatform	parse-server	9.6.0:alpha27
parseplatform	parse-server	9.6.0:alpha28
parseplatform	parse-server	9.6.0:alpha29
parseplatform	parse-server	9.6.0:alpha3
parseplatform	parse-server	9.6.0:alpha30
parseplatform	parse-server	9.6.0:alpha31
parseplatform	parse-server	9.6.0:alpha32
parseplatform	parse-server	9.6.0:alpha33
parseplatform	parse-server	9.6.0:alpha34
parseplatform	parse-server	9.6.0:alpha35
parseplatform	parse-server	9.6.0:alpha36
parseplatform	parse-server	9.6.0:alpha37
parseplatform	parse-server	9.6.0:alpha38
parseplatform	parse-server	9.6.0:alpha39
parseplatform	parse-server	9.6.0:alpha4
parseplatform	parse-server	9.6.0:alpha40
parseplatform	parse-server	9.6.0:alpha41
parseplatform	parse-server	9.6.0:alpha5
parseplatform	parse-server	9.6.0:alpha6
parseplatform	parse-server	9.6.0:alpha7
parseplatform	parse-server	9.6.0:alpha8
parseplatform	parse-server	9.6.0:alpha9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea

https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee

https://github.com/parse-community/parse-server/pull/10250

https://github.com/parse-community/parse-server/pull/10252

https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576