PT-2026-24425 · Unknown · Parse Server
Restriction
·
Published
2026-03-10
·
Updated
2026-03-12
·
CVE-2026-30947
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 9.5.2-alpha.3
Parse Server versions prior to 8.6.16
Description
Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to a flaw where class-level permissions (CLP) are not enforced for LiveQuery subscriptions. This allows unauthenticated or unauthorized clients to subscribe to any LiveQuery-enabled class and receive real-time events for all objects, bypassing CLP restrictions. Consequently, data intended to be restricted by CLP is exposed to unauthorized subscribers in real time. All Parse Server deployments utilizing LiveQuery with class-level permissions are potentially affected.
Recommendations
Update to Parse Server version 9.5.2-alpha.3 or later.
Update to Parse Server version 8.6.16 or later.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server