PT-2026-26760 · Unknown · Parse Server
Restriction
·
Published
2026-03-20
·
Updated
2026-03-27
·
CVE-2026-33429
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 8.6.54
Parse Server versions prior to 9.6.0-alpha.43
Description
Parse Server contains a flaw where an attacker can subscribe to LiveQuery using a
watch parameter that targets a protected field. While the actual value of the protected field is removed from event payloads, the system reveals whether the field has been updated, creating a binary oracle. For boolean protected fields, the timing of these events can reveal the field’s value. The watch parameter is not validated against protected fields during subscription, allowing this information leakage. Master key connections are exempt from this issue.Recommendations
Update to Parse Server version 8.6.54 or later.
Update to Parse Server version 9.6.0-alpha.43 or later.
Exploit
Fix
Side Channel Attack
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server