CVE-2026-33421

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.53 Parse Server versions prior to 9.6.0-alpha.42

Description Parse Server’s LiveQuery WebSocket interface did not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Authenticated users could subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, even if the pointer fields did not point to the subscribing user. This bypassed intended read access control, potentially allowing unauthorized access to sensitive data. The issue affects the handling of pointer permissions within the LiveQuery functionality.

Recommendations Update to Parse Server version 8.6.53 or later. Update to Parse Server version 9.6.0-alpha.42 or later. As a workaround, use Access Control Lists (ACLs) on individual objects to restrict read access instead of relying solely on CLP pointer permissions.