CVE-2026-32098

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.9 Parse Server versions prior to 8.6.35

Description Parse Server is an open-source backend deployable on Node.js infrastructures. An attacker can exploit LiveQuery subscriptions to determine the values of protected fields without directly receiving them. This is achieved by subscribing with a WHERE clause referencing a protected field, including through dot-notation or $regex. Observing whether LiveQuery events are delivered for matching objects creates a boolean oracle that reveals protected field values. This issue impacts any class with both protectedFields configured in Class-Level Permissions and LiveQuery enabled. The attack leverages the LiveQuery functionality and the way subscriptions are handled when filtering data based on protected fields. The WHERE clause in the LiveQuery subscription is the key component used by the attacker.

Recommendations Versions prior to 9.6.0-alpha.9: Upgrade to version 9.6.0-alpha.9 or later. Versions prior to 8.6.35: Upgrade to version 8.6.35 or later. As a workaround, disable LiveQuery for classes that utilize protectedFields in their Class-Level Permissions. Alternatively, remove protectedFields from classes that require LiveQuery functionality.