CVE-2026-32098 in parse-server
Summary
by MITRE • 03/11/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/14/2026
This vulnerability exists in Parse Server versions prior to 9.6.0-alpha.9 and 8.6.35, where an attacker can exploit LiveQuery subscriptions to infer protected field values through a boolean oracle attack. The flaw occurs when LiveQuery is enabled alongside Class-Level Permissions with protectedFields configured, creating a scenario where unauthorized access to sensitive data becomes possible through indirect observation methods.
The technical implementation of this vulnerability relies on the LiveQuery subscription mechanism's response behavior to filtered queries. When an attacker subscribes to LiveQuery events using a WHERE clause that references protected fields through dot-notation or regex operations, they can observe whether matching objects trigger events. This observation creates a binary decision point that can be systematically exploited to reconstruct the values of protected fields through multiple query iterations.
The operational impact of this vulnerability is significant as it allows attackers to bypass traditional access controls and extract sensitive information from protected fields without direct read permissions. This represents a classic information disclosure vulnerability that can lead to data breaches, particularly affecting applications that rely on Parse Server for backend services and store confidential user data. The attack vector specifically targets systems where both LiveQuery functionality and Class-Level Permissions are enabled simultaneously.
This vulnerability maps to CWE-200 (Information Exposure) and aligns with ATT&CK technique T1213.002 (Data from Information Repositories) in the credential access and reconnaissance phases. The boolean oracle created through LiveQuery event delivery allows attackers to perform iterative queries that progressively reveal protected field contents, making this a sophisticated information leakage mechanism that can be automated for efficient data extraction.
The fix implemented in versions 9.6.0-alpha.9 and 8.6.35 addresses this by strengthening the validation of LiveQuery subscriptions to prevent queries that reference protected fields, regardless of the query operator used. This mitigation ensures that LiveQuery event delivery cannot be used as an indirect means to infer protected field values, maintaining the integrity of Class-Level Permissions. Organizations should immediately upgrade to these patched versions and review their LiveQuery configurations to ensure that protected field access controls remain effective.