CVE-2026-33163

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.35 Parse Server versions prior to 8.6.50

Description Parse Server is an open source backend deployable on Node.js infrastructures. When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server unintentionally exposes protected fields and authData to all subscribers of that class. Class-Level Permissions (protectedFields) are not correctly enforced in LiveQuery event payloads for create, update, delete, enter, and leave events. Users with appropriate permissions can access sensitive data of other users, including personal information and OAuth tokens. This issue stems from a reference detachment bug where a JSON copy of the event object is created without the sensitive data filter applied. The fix ensures the filter operates on the data sent to clients.

Recommendations For versions prior to 9.6.0-alpha.35, remove all Parse.Cloud.afterLiveQueryEvent trigger registrations. For versions prior to 8.6.50, remove all Parse.Cloud.afterLiveQueryEvent trigger registrations.