CVE-2026-34363

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.65 Parse Server versions prior to 9.7.0-alpha.9

Description Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue where sensitive data can leak to unauthorized clients or incomplete data can be received by authorized clients when multiple clients subscribe to the same class via LiveQuery. This occurs because event handlers process subscribers concurrently using shared mutable objects, and the sensitive data filter modifies these objects in-place. Additionally, modifications from one subscriber's afterEvent Cloud Code trigger can leak to other subscribers through the same shared mutable state. Any deployment utilizing LiveQuery with protected fields or afterEvent triggers is potentially affected.

Recommendations Parse Server versions prior to 8.6.65 should be updated to version 8.6.65 or later. Parse Server versions prior to 9.7.0-alpha.9 should be updated to version 9.7.0-alpha.9 or later.